From 4869ccfed6ba8c44fb49844a5a8abbb671518954 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Mon, 17 Dec 2007 15:21:38 -0500 Subject: While 'data' is usually 0 terminated, nothing in the spec requires that. The correct way is to copy only 'length' bytes. Simo. (This used to be commit 814c1b0e0034fb67c7718760dfcf913904f3e7fa) --- source3/libads/kerberos.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'source3/libads') diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c index 227f95d15e..4fc23956bd 100644 --- a/source3/libads/kerberos.c +++ b/source3/libads/kerberos.c @@ -521,7 +521,10 @@ char *kerberos_get_default_realm_from_ccache( void ) #if defined(HAVE_KRB5_PRINCIPAL_GET_REALM) realm = SMB_STRDUP(krb5_principal_get_realm(ctx, princ)); #elif defined(HAVE_KRB5_PRINC_REALM) - realm = SMB_STRDUP(krb5_princ_realm(ctx, princ)->data); + { + krb5_data *realm_data = krb5_princ_realm(ctx, princ); + realm = SMB_STRNDUP(realm_data->data, realm_data->length); + } #endif out: -- cgit From afc93255d183eefb68e45b8ec6275f6a62cf9795 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Wed, 26 Dec 2007 17:12:36 -0800 Subject: Add SMB encryption. Still fixing client decrypt but negotiation works. Jeremy. (This used to be commit d78045601af787731f0737b8627450018902b104) --- source3/libads/ads_status.c | 9 +++++++++ 1 file changed, 9 insertions(+) (limited to 'source3/libads') diff --git a/source3/libads/ads_status.c b/source3/libads/ads_status.c index ecef9d224b..29148e8543 100644 --- a/source3/libads/ads_status.c +++ b/source3/libads/ads_status.c @@ -141,3 +141,12 @@ const char *ads_errstr(ADS_STATUS status) } } +#ifdef HAVE_GSSAPI +NTSTATUS gss_err_to_ntstatus(uint32 maj, uint32 min) +{ + ADS_STATUS adss = ADS_ERROR_GSS(maj, min); + DEBUG(10,("gss_err_to_ntstatus: Error %s\n", + ads_errstr(adss) )); + return ads_ntstatus(adss); +} +#endif -- cgit From 240391be5345aef88a25c1221942202ba33588b8 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Sat, 29 Dec 2007 22:47:03 +0100 Subject: Make use of [un]marshall_sec_desc (This used to be commit 54576733d6c0511dc7379f964b1cb035913b7c8d) --- source3/libads/ldap.c | 20 +++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) (limited to 'source3/libads') diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c index 348ccacaee..953693ce48 100644 --- a/source3/libads/ldap.c +++ b/source3/libads/ldap.c @@ -2384,20 +2384,22 @@ int ads_count_replies(ADS_STRUCT *ads, void *res) LDAPMessage *msg, const char *field, SEC_DESC **sd) { struct berval **values; - bool ret = False; + bool ret = true; values = ldap_get_values_len(ads->ldap.ld, msg, field); - if (!values) return False; + if (!values) return false; if (values[0]) { - prs_struct ps; - prs_init(&ps, values[0]->bv_len, mem_ctx, UNMARSHALL); - prs_copy_data_in(&ps, values[0]->bv_val, values[0]->bv_len); - prs_set_offset(&ps,0); - - ret = sec_io_desc("sd", sd, &ps, 1); - prs_mem_free(&ps); + NTSTATUS status; + status = unmarshall_sec_desc(mem_ctx, + (uint8 *)values[0]->bv_val, + values[0]->bv_len, sd); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(0, ("unmarshall_sec_desc failed: %s\n", + nt_errstr(status))); + ret = false; + } } ldap_value_free_len(values); -- cgit From b076a7e802a89bdc5b369e98c7d69d8f970d8265 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Thu, 3 Jan 2008 17:28:09 +0100 Subject: Add ads_get_joinable_ous(). Guenther (This used to be commit 5bbceac88159ef6ff83d9cc62c77c7af2116967d) --- source3/libads/ldap.c | 60 +++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 60 insertions(+) (limited to 'source3/libads') diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c index 953693ce48..843d57988c 100644 --- a/source3/libads/ldap.c +++ b/source3/libads/ldap.c @@ -2790,6 +2790,66 @@ ADS_STATUS ads_upn_suffixes(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, char ***suffix return status; } +/** + * get the joinable ous for a domain + * @param ads connection to ads server + * @param mem_ctx Pointer to talloc context + * @param ous Pointer to an array of ous + * @param num_ous Pointer to the number of ous + * @return status of search + **/ +ADS_STATUS ads_get_joinable_ous(ADS_STRUCT *ads, + TALLOC_CTX *mem_ctx, + char ***ous, + size_t *num_ous) +{ + ADS_STATUS status; + LDAPMessage *res = NULL; + LDAPMessage *msg = NULL; + const char *attrs[] = { "dn", NULL }; + int count = 0; + + status = ads_search(ads, &res, + "(|(objectClass=domain)(objectclass=organizationalUnit))", + attrs); + if (!ADS_ERR_OK(status)) { + return status; + } + + count = ads_count_replies(ads, res); + if (count < 1) { + ads_msgfree(ads, res); + return ADS_ERROR(LDAP_NO_RESULTS_RETURNED); + } + + for (msg = ads_first_entry(ads, res); msg; + msg = ads_next_entry(ads, msg)) { + + char *dn = NULL; + + dn = ads_get_dn(ads, msg); + if (!dn) { + ads_msgfree(ads, res); + return ADS_ERROR(LDAP_NO_MEMORY); + } + + if (!add_string_to_array(mem_ctx, dn, + (const char ***)ous, + (int *)num_ous)) { + ads_memfree(ads, dn); + ads_msgfree(ads, res); + return ADS_ERROR(LDAP_NO_MEMORY); + } + + ads_memfree(ads, dn); + } + + ads_msgfree(ads, res); + + return status; +} + + /** * pull a DOM_SID from an extended dn string * @param mem_ctx TALLOC_CTX -- cgit From 3f42428f9bca5b8473501adc932405cae3c247bb Mon Sep 17 00:00:00 2001 From: Michael Adam Date: Fri, 4 Jan 2008 21:45:28 +0100 Subject: Fix a misleading DEBUG message. At this stage, the (tcp) connection to the LDAP server has not been established, this is what is about to be attempted. What has been succesfully done, is a CLDAP netlogon query. Michael (This used to be commit 71c3c8ad4c92c5f6267b84ee1d207e5e49e9a4ec) --- source3/libads/ldap.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/libads') diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c index 843d57988c..138dfe9015 100644 --- a/source3/libads/ldap.c +++ b/source3/libads/ldap.c @@ -400,7 +400,7 @@ ADS_STATUS ads_connect(ADS_STRUCT *ads) got_connection: print_sockaddr(addr, sizeof(addr), &ads->ldap.ss); - DEBUG(3,("Connected to LDAP server %s\n", addr)); + DEBUG(3,("Successfully contacted LDAP server %s\n", addr)); if (!ads->auth.user_name) { /* Must use the userPrincipalName value here or sAMAccountName -- cgit From 4ad3464fb94c7088e7fd731113c682aa7756ef01 Mon Sep 17 00:00:00 2001 From: Michael Adam Date: Fri, 4 Jan 2008 21:53:25 +0100 Subject: Unindent function header. Michael (This used to be commit cafda34783f0961c9b463803c19cfcb69f836e3f) --- source3/libads/ldap.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/libads') diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c index 138dfe9015..712e7e2889 100644 --- a/source3/libads/ldap.c +++ b/source3/libads/ldap.c @@ -52,7 +52,7 @@ static void gotalarm_sig(void) gotalarm = 1; } - LDAP *ldap_open_with_timeout(const char *server, int port, unsigned int to) +LDAP *ldap_open_with_timeout(const char *server, int port, unsigned int to) { LDAP *ldp = NULL; -- cgit From 34e579fce5a6cc9ffa60fbe6e797b2e6b35c879e Mon Sep 17 00:00:00 2001 From: Michael Adam Date: Fri, 4 Jan 2008 21:54:02 +0100 Subject: Enhance DEBUG-verbosity of ldap_open_with_timeout(). Michael (This used to be commit 9e70d1f24dd304c363a1bde97b5af618b46edc49) --- source3/libads/ldap.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) (limited to 'source3/libads') diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c index 712e7e2889..8a2b82a61d 100644 --- a/source3/libads/ldap.c +++ b/source3/libads/ldap.c @@ -56,6 +56,10 @@ LDAP *ldap_open_with_timeout(const char *server, int port, unsigned int to) { LDAP *ldp = NULL; + + DEBUG(10, ("Opening connection to LDAP server '%s:%d', timeout " + "%u seconds\n", server, port, to)); + /* Setup timeout */ gotalarm = 0; CatchSignal(SIGALRM, SIGNAL_CAST gotalarm_sig); @@ -65,8 +69,10 @@ LDAP *ldap_open_with_timeout(const char *server, int port, unsigned int to) ldp = ldap_open(server, port); if (ldp == NULL) { - DEBUG(2,("Could not open LDAP connection to %s:%d: %s\n", + DEBUG(2,("Could not open connection to LDAP server %s:%d: %s\n", server, port, strerror(errno))); + } else { + DEBUG(10, ("Connected to LDAP server '%s:%d'\n", server, port)); } /* Teardown timeout. */ -- cgit From 2cb68e3898046ea0dd2ddcf1e32dc7dffca79be8 Mon Sep 17 00:00:00 2001 From: Michael Adam Date: Fri, 4 Jan 2008 21:56:57 +0100 Subject: Untangle assignment and result check. Michael (This used to be commit 465a3b356cffb855e26569d3752f15cac07208c0) --- source3/libads/ldap.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'source3/libads') diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c index 8a2b82a61d..ae8e1e4d4d 100644 --- a/source3/libads/ldap.c +++ b/source3/libads/ldap.c @@ -448,9 +448,9 @@ got_connection: /* Otherwise setup the TCP LDAP session */ - if ( (ads->ldap.ld = ldap_open_with_timeout(ads->config.ldap_server_name, - LDAP_PORT, lp_ldap_timeout())) == NULL ) - { + ads->ldap.ld = ldap_open_with_timeout(ads->config.ldap_server_name, + LDAP_PORT, lp_ldap_timeout()); + if (ads->ldap.ld == NULL) { return ADS_ERROR(LDAP_OPERATIONS_ERROR); } -- cgit From b54310cbaa9584a46decfa2a5bc4bb2a72381a98 Mon Sep 17 00:00:00 2001 From: Michael Adam Date: Fri, 4 Jan 2008 22:06:15 +0100 Subject: Add a debug message (when the LDAP server has really been connected). Michael (This used to be commit 7d9d2de39072b3291b95ac3965df0d19f83792b9) --- source3/libads/ldap.c | 1 + 1 file changed, 1 insertion(+) (limited to 'source3/libads') diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c index ae8e1e4d4d..44560c852d 100644 --- a/source3/libads/ldap.c +++ b/source3/libads/ldap.c @@ -453,6 +453,7 @@ got_connection: if (ads->ldap.ld == NULL) { return ADS_ERROR(LDAP_OPERATIONS_ERROR); } + DEBUG(3,("Connected to LDAP server %s\n", ads->config.ldap_server_name)); /* cache the successful connection for workgroup and realm */ if (ads_closest_dc(ads)) { -- cgit From 4aba7475effff485f265fb975cf467fffd6c7db0 Mon Sep 17 00:00:00 2001 From: Michael Adam Date: Fri, 4 Jan 2008 22:56:10 +0100 Subject: Re-Indent function ldap_open_with_timeout(). This reverts commit #cafda34783f0961c9b463803c19cfcb69f836e3f . I just learned (the hard way) that these indeted functions are not indented by accident but that the intention of this is to not include the prototype into proto.h. Michael (This used to be commit 2e5d01b2146bb9e057b2779d9fe7691ed46d9f45) --- source3/libads/ldap.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/libads') diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c index 44560c852d..975e926864 100644 --- a/source3/libads/ldap.c +++ b/source3/libads/ldap.c @@ -52,7 +52,7 @@ static void gotalarm_sig(void) gotalarm = 1; } -LDAP *ldap_open_with_timeout(const char *server, int port, unsigned int to) + LDAP *ldap_open_with_timeout(const char *server, int port, unsigned int to) { LDAP *ldp = NULL; -- cgit From f89fa0a6f85b74469519ba97752f45db8b879689 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Tue, 8 Jan 2008 13:46:54 +0100 Subject: Do not ignore provided machine_name in ads_get_upn(). Guenther (This used to be commit ddc1307844379f99b3dde48fc351d0326d22a7ce) --- source3/libads/ldap.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) (limited to 'source3/libads') diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c index 975e926864..28bc7793d7 100644 --- a/source3/libads/ldap.c +++ b/source3/libads/ldap.c @@ -3026,26 +3026,26 @@ char* ads_get_upn( ADS_STRUCT *ads, TALLOC_CTX *ctx, const char *machine_name ) ADS_STATUS status; int count = 0; char *name = NULL; - - status = ads_find_machine_acct(ads, &res, global_myname()); + + status = ads_find_machine_acct(ads, &res, machine_name); if (!ADS_ERR_OK(status)) { DEBUG(0,("ads_get_upn: Failed to find account for %s\n", global_myname())); goto out; } - + if ( (count = ads_count_replies(ads, res)) != 1 ) { DEBUG(1,("ads_get_upn: %d entries returned!\n", count)); goto out; } - + if ( (name = ads_pull_string(ads, ctx, res, "userPrincipalName")) == NULL ) { DEBUG(2,("ads_get_upn: No userPrincipalName attribute!\n")); } out: ads_msgfree(ads, res); - + return name; } -- cgit From 866af9a800cbfc022ce6144ee706c0826eb6c39b Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Fri, 11 Jan 2008 23:43:33 -0800 Subject: Coverity 512, uninitialized var. Jeremy. (This used to be commit 1b7cc80c61ccbf766801080f5a3f0260f40ccc17) --- source3/libads/authdata.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source3/libads') diff --git a/source3/libads/authdata.c b/source3/libads/authdata.c index 500f2d455e..9a6f1061df 100644 --- a/source3/libads/authdata.c +++ b/source3/libads/authdata.c @@ -214,7 +214,7 @@ static bool pac_io_group_membership_array(const char *desc, static bool pac_io_pac_logon_info(const char *desc, PAC_LOGON_INFO *info, prs_struct *ps, int depth) { - uint32 garbage, i; + uint32 garbage = 0, i; if (NULL == info) return False; @@ -398,7 +398,7 @@ static bool pac_io_pac_logon_info(const char *desc, PAC_LOGON_INFO *info, static bool pac_io_pac_logon_info(const char *desc, PAC_LOGON_INFO *info, prs_struct *ps, int depth) { - uint32 garbage; + uint32 garbage = 0; bool kerb_validation_info = True; if (NULL == info) -- cgit From 43717a16e2fca8b196d4a89e33b05fefc0cb02d2 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Fri, 11 Jan 2008 23:53:27 -0800 Subject: Fix CID 476. Ensure a valid pac_data pointer is always passed to ads_verify_ticket as it's always derefed. Jeremy. (This used to be commit 0599d57efff0f417f75510e8b08c3cb7b4bcfcd8) --- source3/libads/kerberos_verify.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) (limited to 'source3/libads') diff --git a/source3/libads/kerberos_verify.c b/source3/libads/kerberos_verify.c index 7040093e90..5ce7aa6b45 100644 --- a/source3/libads/kerberos_verify.c +++ b/source3/libads/kerberos_verify.c @@ -501,8 +501,7 @@ NTSTATUS ads_verify_ticket(TALLOC_CTX *mem_ctx, DEBUG(3,("ads_verify_ticket: did not retrieve auth data. continuing without PAC\n")); } - if (got_auth_data && pac_data != NULL) { - + if (got_auth_data) { pac_ret = decode_pac_data(mem_ctx, &auth_data, context, keyblock, client_principal, authtime, pac_data); if (!NT_STATUS_IS_OK(pac_ret)) { DEBUG(3,("ads_verify_ticket: failed to decode PAC_DATA: %s\n", nt_errstr(pac_ret))); -- cgit From a32cca7f372217e483ffda059e7775e3327982cc Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Mon, 14 Jan 2008 14:18:53 +0100 Subject: Print principal in debug statement in kerberos_kinit_password() as well. Guenther (This used to be commit 44d67e84625a2a1a93baecef0e418b48e982443b) --- source3/libads/kerberos.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'source3/libads') diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c index 4fc23956bd..e9222e8401 100644 --- a/source3/libads/kerberos.c +++ b/source3/libads/kerberos.c @@ -209,7 +209,8 @@ int kerberos_kinit_password_ext(const char *principal, krb5_set_real_time(ctx, time(NULL) + time_offset, 0); } - DEBUG(10,("kerberos_kinit_password: using [%s] as ccache and config [%s]\n", + DEBUG(10,("kerberos_kinit_password: as %s using [%s] as ccache and config [%s]\n", + principal, cache_name ? cache_name: krb5_cc_default_name(ctx), getenv("KRB5_CONFIG"))); -- cgit From fbcc7820c620d45f02ab75e08d840e3a676fe671 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Wed, 16 Jan 2008 15:51:52 +0100 Subject: Fix memleak in ads_build_path(). Guenther (This used to be commit b7a06b54e0a58c4cd6c5351b1e4a0a2c253cfea1) --- source3/libads/ads_struct.c | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) (limited to 'source3/libads') diff --git a/source3/libads/ads_struct.c b/source3/libads/ads_struct.c index 041878916e..44bcdf76ea 100644 --- a/source3/libads/ads_struct.c +++ b/source3/libads/ads_struct.c @@ -32,18 +32,23 @@ char *ads_build_path(const char *realm, const char *sep, const char *field, int r = SMB_STRDUP(realm); - if (!r || !*r) + if (!r || !*r) { return r; + } - for (p=r; *p; p++) - if (strchr(sep, *p)) + for (p=r; *p; p++) { + if (strchr(sep, *p)) { numbits++; + } + } len = (numbits+1)*(strlen(field)+1) + strlen(r) + 1; ret = (char *)SMB_MALLOC(len); - if (!ret) + if (!ret) { + free(r); return NULL; + } strlcpy(ret,field, len); p=strtok(r,sep); @@ -57,7 +62,8 @@ char *ads_build_path(const char *realm, const char *sep, const char *field, int else asprintf(&s, "%s,%s%s", ret, field, p); free(ret); - ret = s; + ret = SMB_STRDUP(s); + free(s); } } -- cgit From bd8abea49fed09e131ab5162821b0ed05c1ab1b0 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Wed, 16 Jan 2008 13:21:46 -0800 Subject: Fix IPv6 bug #5204, which caused krb5 DNS lookups for a name '['. Jeremy. (This used to be commit f2aa921505e49f894bfed4e5e2f9fc01918b1bb0) --- source3/libads/kerberos.c | 69 ++++++++++++++++++++++++++++++++++++++--------- 1 file changed, 56 insertions(+), 13 deletions(-) (limited to 'source3/libads') diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c index e9222e8401..f7e947b1e7 100644 --- a/source3/libads/kerberos.c +++ b/source3/libads/kerberos.c @@ -25,6 +25,8 @@ #ifdef HAVE_KRB5 +#define DEFAULT_KRB5_PORT 88 + #define LIBADS_CCACHE_NAME "MEMORY:libads" /* @@ -665,6 +667,51 @@ int kerberos_kinit_password(const char *principal, NULL); } +/************************************************************************ +************************************************************************/ + +static char *print_kdc_line(char *mem_ctx, + const char *prev_line, + const struct sockaddr_storage *pss) +{ + char *kdc_str = NULL; + + if (pss->ss_family == AF_INET) { + kdc_str = talloc_asprintf(mem_ctx, "%s\tkdc = %s\n", + prev_line, + print_canonical_sockaddr(mem_ctx, pss)); + } else { + char addr[INET6_ADDRSTRLEN]; + uint16_t port = get_sockaddr_port(pss); + + if (port != 0 && port != DEFAULT_KRB5_PORT) { + /* Currently for IPv6 we can't specify a non-default + krb5 port with an address, as this requires a ':'. + Resolve to a name. */ + char hostname[MAX_DNS_NAME_LENGTH]; + if (sys_getnameinfo((const struct sockaddr *)pss, + sizeof(*pss), + hostname, sizeof(hostname), + NULL, 0, + NI_NAMEREQD) == 0) { + /* Success, use host:port */ + kdc_str = talloc_asprintf(mem_ctx, + "%s\tkdc = %s:%u\n", + prev_line, + hostname, + (unsigned int)port); + return kdc_str; + } + } + kdc_str = talloc_asprintf(mem_ctx, "%s\tkdc = %s\n", + prev_line, + print_sockaddr(addr, + sizeof(addr), + pss)); + } + return kdc_str; +} + /************************************************************************ Create a string list of available kdc's, possibly searching by sitename. Does DNS queries. @@ -677,12 +724,10 @@ static char *get_kdc_ip_string(char *mem_ctx, { int i; struct ip_service *ip_srv_site = NULL; - struct ip_service *ip_srv_nonsite; + struct ip_service *ip_srv_nonsite = NULL; int count_site = 0; int count_nonsite; - char *kdc_str = talloc_asprintf(mem_ctx, "\tkdc = %s\n", - print_canonical_sockaddr(mem_ctx, - pss)); + char *kdc_str = print_kdc_line(mem_ctx, "", pss); if (kdc_str == NULL) { return NULL; @@ -700,10 +745,9 @@ static char *get_kdc_ip_string(char *mem_ctx, } /* Append to the string - inefficient * but not done often. */ - kdc_str = talloc_asprintf(mem_ctx, "%s\tkdc = %s\n", - kdc_str, - print_canonical_sockaddr(mem_ctx, - &ip_srv_site[i].ss)); + kdc_str = print_kdc_line(mem_ctx, + kdc_str, + &ip_srv_site[i].ss); if (!kdc_str) { SAFE_FREE(ip_srv_site); return NULL; @@ -738,10 +782,9 @@ static char *get_kdc_ip_string(char *mem_ctx, } /* Append to the string - inefficient but not done often. */ - kdc_str = talloc_asprintf(mem_ctx, "%s\tkdc = %s\n", + kdc_str = print_kdc_line(mem_ctx, kdc_str, - print_canonical_sockaddr(mem_ctx, - &ip_srv_nonsite[i].ss)); + &ip_srv_nonsite[i].ss); if (!kdc_str) { SAFE_FREE(ip_srv_site); SAFE_FREE(ip_srv_nonsite); @@ -873,8 +916,8 @@ bool create_local_private_krb5_conf_for_domain(const char *realm, } DEBUG(5,("create_local_private_krb5_conf_for_domain: wrote " - "file %s with realm %s KDC = %s\n", - fname, realm_upper, print_canonical_sockaddr(dname, pss) )); + "file %s with realm %s KDC list = %s\n", + fname, realm_upper, kdc_ip_string)); /* Set the environment variable to this file. */ setenv("KRB5_CONFIG", fname, 1); -- cgit From 70426bdd307be2bbaa2ec6f111440bae69216933 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Wed, 16 Jan 2008 13:28:24 -0800 Subject: Tidy up code and debug for non-default krb5 IPv6 port. Jeremy. (This used to be commit 79b7972de4c2a8c71e37642ddf7e5bbed53dd58a) --- source3/libads/kerberos.c | 24 +++++++++++++++--------- 1 file changed, 15 insertions(+), 9 deletions(-) (limited to 'source3/libads') diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c index f7e947b1e7..b99525047f 100644 --- a/source3/libads/kerberos.c +++ b/source3/libads/kerberos.c @@ -689,25 +689,31 @@ static char *print_kdc_line(char *mem_ctx, krb5 port with an address, as this requires a ':'. Resolve to a name. */ char hostname[MAX_DNS_NAME_LENGTH]; - if (sys_getnameinfo((const struct sockaddr *)pss, + int ret = sys_getnameinfo((const struct sockaddr *)pss, sizeof(*pss), hostname, sizeof(hostname), NULL, 0, - NI_NAMEREQD) == 0) { - /* Success, use host:port */ - kdc_str = talloc_asprintf(mem_ctx, + NI_NAMEREQD); + if (ret) { + DEBUG(0,("print_kdc_line: can't resolve name " + "for kdc with non-default port %s. " + "Error %s\n.", + print_canonical_sockaddr(mem_ctx, pss), + gai_strerror(ret))); + } + /* Success, use host:port */ + kdc_str = talloc_asprintf(mem_ctx, "%s\tkdc = %s:%u\n", - prev_line, + prev_line, hostname, (unsigned int)port); - return kdc_str; - } - } - kdc_str = talloc_asprintf(mem_ctx, "%s\tkdc = %s\n", + } else { + kdc_str = talloc_asprintf(mem_ctx, "%s\tkdc = %s\n", prev_line, print_sockaddr(addr, sizeof(addr), pss)); + } } return kdc_str; } -- cgit From a92eb76688600efbf4a4056c2543f348e2fee8aa Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Thu, 17 Jan 2008 10:24:34 +0100 Subject: Finally enable pidl generated SAMR & NETLOGON headers and clients. Guenther (This used to be commit f7100156a7df7ac3ae84e45a47153b38d9375215) --- source3/libads/authdata.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) (limited to 'source3/libads') diff --git a/source3/libads/authdata.c b/source3/libads/authdata.c index 9a6f1061df..644f8515bc 100644 --- a/source3/libads/authdata.c +++ b/source3/libads/authdata.c @@ -429,8 +429,8 @@ static bool pac_io_pac_logon_info(const char *desc, PAC_LOGON_INFO *info, if (info->info3.ptr_res_groups) { - if (!(info->info3.user_flgs & LOGON_RESOURCE_GROUPS)) { - DEBUG(0,("user_flgs attribute does not have LOGON_RESOURCE_GROUPS\n")); + if (!(info->info3.user_flgs & NETLOGON_RESOURCE_GROUPS)) { + DEBUG(0,("user_flgs attribute does not have NETLOGON_RESOURCE_GROUPS\n")); /* return False; */ } @@ -738,10 +738,10 @@ void dump_pac_logon_info(int lvl, PAC_LOGON_INFO *logon_info) DEBUG(lvl,("The PAC:\n")); DEBUGADD(lvl,("\tUser Flags: 0x%x (%d)\n", user_flgs, user_flgs)); - if (user_flgs & LOGON_EXTRA_SIDS) - DEBUGADD(lvl,("\tUser Flags: LOGON_EXTRA_SIDS 0x%x (%d)\n", LOGON_EXTRA_SIDS, LOGON_EXTRA_SIDS)); - if (user_flgs & LOGON_RESOURCE_GROUPS) - DEBUGADD(lvl,("\tUser Flags: LOGON_RESOURCE_GROUPS 0x%x (%d)\n", LOGON_RESOURCE_GROUPS, LOGON_RESOURCE_GROUPS)); + if (user_flgs & NETLOGON_EXTRA_SIDS) + DEBUGADD(lvl,("\tUser Flags: NETLOGON_EXTRA_SIDS 0x%x (%d)\n", NETLOGON_EXTRA_SIDS, NETLOGON_EXTRA_SIDS)); + if (user_flgs & NETLOGON_RESOURCE_GROUPS) + DEBUGADD(lvl,("\tUser Flags: NETLOGON_RESOURCE_GROUPS 0x%x (%d)\n", NETLOGON_RESOURCE_GROUPS, NETLOGON_RESOURCE_GROUPS)); DEBUGADD(lvl,("\tUser SID: %s-%d\n", sid_string_dbg(&dom_sid), logon_info->info3.user_rid)); DEBUGADD(lvl,("\tGroup SID: %s-%d\n", sid_string_dbg(&dom_sid), -- cgit From 587cf54c61c9f1f7bcae431a82035fd942716c32 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Wed, 23 Jan 2008 11:04:10 +0100 Subject: strtok -> strtok_r (This used to be commit fd34ce437057bb34cdc37f4b066e424000d36789) --- source3/libads/ads_struct.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) (limited to 'source3/libads') diff --git a/source3/libads/ads_struct.c b/source3/libads/ads_struct.c index 44bcdf76ea..8cc2f1215e 100644 --- a/source3/libads/ads_struct.c +++ b/source3/libads/ads_struct.c @@ -29,7 +29,8 @@ char *ads_build_path(const char *realm, const char *sep, const char *field, int int numbits = 0; char *ret; int len; - + char *saveptr; + r = SMB_STRDUP(realm); if (!r || !*r) { @@ -51,11 +52,11 @@ char *ads_build_path(const char *realm, const char *sep, const char *field, int } strlcpy(ret,field, len); - p=strtok(r,sep); + p=strtok_r(r, sep, &saveptr); if (p) { strlcat(ret, p, len); - while ((p=strtok(NULL,sep))) { + while ((p=strtok_r(NULL, sep, &saveptr)) != NULL) { char *s; if (reverse) asprintf(&s, "%s%s,%s", field, p, ret); -- cgit From c0c93dc2ba8bf6b32b0bcc228d947ee588ee4099 Mon Sep 17 00:00:00 2001 From: "Gerald W. Carter" Date: Mon, 28 Jan 2008 11:32:09 -0600 Subject: Restrict the enctypes in the generated krb5.conf files to Win2003 types. This fixes the failure observed on FC8 when joining a Windows 2008 RC1 domain. We currently do not handle user session keys correctly when the KDC uses AES in the ticket replies. (This used to be commit 8039a2518caae54bc876368c73ec493f3cd4eb73) --- source3/libads/kerberos.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) (limited to 'source3/libads') diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c index b99525047f..d47e8a3ff1 100644 --- a/source3/libads/kerberos.c +++ b/source3/libads/kerberos.c @@ -865,10 +865,14 @@ bool create_local_private_krb5_conf_for_domain(const char *realm, return False; } - file_contents = talloc_asprintf(fname, "[libdefaults]\n\tdefault_realm = %s\n\n" - "[realms]\n\t%s = {\n" - "\t%s\t}\n", - realm_upper, realm_upper, kdc_ip_string); + file_contents = talloc_asprintf(fname, + "[libdefaults]\n\tdefault_realm = %s\n" + "default_tgs_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5\n" + "default_tkt_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5\n" + "preferred_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5\n\n" + "[realms]\n\t%s = {\n" + "\t%s\t}\n", + realm_upper, realm_upper, kdc_ip_string); if (!file_contents) { TALLOC_FREE(dname); -- cgit From 7cab0f5c0c3edc3eb74e3ae8fa5a649187dc99c1 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Tue, 29 Jan 2008 14:47:47 +0100 Subject: Fix the build. Avoid unrequired ndr_print_ads_struct dependencies. Guenther (This used to be commit c832882e49ff0dac6a717819dda24ab814253b2f) --- source3/libads/ndr.c | 118 +++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 118 insertions(+) create mode 100644 source3/libads/ndr.c (limited to 'source3/libads') diff --git a/source3/libads/ndr.c b/source3/libads/ndr.c new file mode 100644 index 0000000000..6324a22041 --- /dev/null +++ b/source3/libads/ndr.c @@ -0,0 +1,118 @@ +/* + Unix SMB/CIFS implementation. + + debug print helpers + + Copyright (C) Guenther Deschner 2008 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "includes.h" + +void ndr_print_ads_auth_flags(struct ndr_print *ndr, const char *name, uint32_t r) +{ + ndr_print_uint32(ndr, name, r); + ndr->depth++; + ndr_print_bitmap_flag(ndr, sizeof(uint32_t), "ADS_AUTH_DISABLE_KERBEROS", ADS_AUTH_DISABLE_KERBEROS, r); + ndr_print_bitmap_flag(ndr, sizeof(uint32_t), "ADS_AUTH_NO_BIND", ADS_AUTH_NO_BIND, r); + ndr_print_bitmap_flag(ndr, sizeof(uint32_t), "ADS_AUTH_ANON_BIND", ADS_AUTH_ANON_BIND, r); + ndr_print_bitmap_flag(ndr, sizeof(uint32_t), "ADS_AUTH_SIMPLE_BIND", ADS_AUTH_SIMPLE_BIND, r); + ndr_print_bitmap_flag(ndr, sizeof(uint32_t), "ADS_AUTH_ALLOW_NTLMSSP", ADS_AUTH_ALLOW_NTLMSSP, r); + ndr_print_bitmap_flag(ndr, sizeof(uint32_t), "ADS_AUTH_SASL_SIGN", ADS_AUTH_SASL_SIGN, r); + ndr_print_bitmap_flag(ndr, sizeof(uint32_t), "ADS_AUTH_SASL_SEAL", ADS_AUTH_SASL_SEAL, r); + ndr_print_bitmap_flag(ndr, sizeof(uint32_t), "ADS_AUTH_SASL_FORCE", ADS_AUTH_SASL_FORCE, r); + ndr->depth--; +} + +void ndr_print_ads_struct(struct ndr_print *ndr, const char *name, const struct ads_struct *r) +{ + if (!r) { return; } + + ndr_print_struct(ndr, name, "ads_struct"); + ndr->depth++; + ndr_print_bool(ndr, "is_mine", r->is_mine); + ndr_print_struct(ndr, name, "server"); + ndr->depth++; + ndr_print_string(ndr, "realm", r->server.realm); + ndr_print_string(ndr, "workgroup", r->server.workgroup); + ndr_print_string(ndr, "ldap_server", r->server.ldap_server); + ndr_print_bool(ndr, "foreign", r->server.foreign); + ndr->depth--; + ndr_print_struct(ndr, name, "auth"); + ndr->depth++; + ndr_print_string(ndr, "realm", r->auth.realm); +#ifdef DEBUG_PASSWORD + ndr_print_string(ndr, "password", r->auth.password); +#else + ndr_print_string(ndr, "password", "(PASSWORD ommited)"); +#endif + ndr_print_string(ndr, "user_name", r->auth.user_name); + ndr_print_string(ndr, "kdc_server", r->auth.kdc_server); + ndr_print_ads_auth_flags(ndr, "flags", r->auth.flags); + ndr_print_uint32(ndr, "time_offset", r->auth.time_offset); + ndr_print_time_t(ndr, "tgt_expire", r->auth.tgt_expire); + ndr_print_time_t(ndr, "tgs_expire", r->auth.tgs_expire); + ndr_print_time_t(ndr, "renewable", r->auth.renewable); + ndr->depth--; + ndr_print_struct(ndr, name, "config"); + ndr->depth++; + ndr_print_netr_DsR_DcFlags(ndr, "flags", r->config.flags); + ndr_print_string(ndr, "realm", r->config.realm); + ndr_print_string(ndr, "bind_path", r->config.bind_path); + ndr_print_string(ndr, "ldap_server_name", r->config.ldap_server_name); + ndr_print_string(ndr, "server_site_name", r->config.server_site_name); + ndr_print_string(ndr, "client_site_name", r->config.client_site_name); + ndr_print_time_t(ndr, "current_time", r->config.current_time); + ndr_print_bool(ndr, "tried_closest_dc", r->config.tried_closest_dc); + ndr_print_string(ndr, "schema_path", r->config.schema_path); + ndr_print_string(ndr, "config_path", r->config.config_path); + ndr->depth--; +#ifdef HAVE_LDAP + ndr_print_struct(ndr, name, "ldap"); + ndr->depth++; + ndr_print_ptr(ndr, "ld", r->ldap.ld); + ndr_print_sockaddr_storage(ndr, "ss", &r->ldap.ss); + ndr_print_time_t(ndr, "last_attempt", r->ldap.last_attempt); + ndr_print_uint32(ndr, "port", r->ldap.port); + ndr_print_uint16(ndr, "wrap_type", r->ldap.wrap_type); +#ifdef HAVE_LDAP_SASL_WRAPPING + ndr_print_ptr(ndr, "sbiod", r->ldap.sbiod); +#endif /* HAVE_LDAP_SASL_WRAPPING */ + ndr_print_ptr(ndr, "mem_ctx", r->ldap.mem_ctx); + ndr_print_ptr(ndr, "wrap_ops", r->ldap.wrap_ops); + ndr_print_ptr(ndr, "wrap_private_data", r->ldap.wrap_private_data); + ndr_print_struct(ndr, name, "in"); + ndr->depth++; + ndr_print_uint32(ndr, "ofs", r->ldap.in.ofs); + ndr_print_uint32(ndr, "needed", r->ldap.in.needed); + ndr_print_uint32(ndr, "left", r->ldap.in.left); + ndr_print_uint32(ndr, "max_wrapped", r->ldap.in.max_wrapped); + ndr_print_uint32(ndr, "min_wrapped", r->ldap.in.min_wrapped); + ndr_print_uint32(ndr, "size", r->ldap.in.size); + ndr_print_array_uint8(ndr, "buf", r->ldap.in.buf, r->ldap.in.size); + ndr->depth--; + ndr_print_struct(ndr, name, "out"); + ndr->depth++; + ndr_print_uint32(ndr, "ofs", r->ldap.out.ofs); + ndr_print_uint32(ndr, "left", r->ldap.out.left); + ndr_print_uint32(ndr, "max_unwrapped", r->ldap.out.max_unwrapped); + ndr_print_uint32(ndr, "sig_size", r->ldap.out.sig_size); + ndr_print_uint32(ndr, "size", r->ldap.out.size); + ndr_print_array_uint8(ndr, "buf", r->ldap.out.buf, r->ldap.out.size); + ndr->depth--; + ndr->depth--; +#endif /* HAVE_LDAP */ + ndr->depth--; +} -- cgit From 6c764172e541decc0fa4b0314f4d26ea859c0dfe Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Thu, 31 Jan 2008 01:50:49 +0100 Subject: When running with debug level > 10, dump ads_struct in ads_connect(). Guenther (This used to be commit 2dd7c64fa8845fe502789068b877f5eaf060afc7) --- source3/libads/ldap.c | 42 +++++++++++++++++++++++++++++++++--------- 1 file changed, 33 insertions(+), 9 deletions(-) (limited to 'source3/libads') diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c index 28bc7793d7..7b0adc2fc3 100644 --- a/source3/libads/ldap.c +++ b/source3/libads/ldap.c @@ -391,6 +391,13 @@ ADS_STATUS ads_connect(ADS_STRUCT *ads) /* try with a user specified server */ + if (DEBUGLEVEL >= 11) { + char *s = NDR_PRINT_STRUCT_STRING(talloc_tos(), ads_struct, ads); + DEBUG(11,("ads_connect: entering\n")); + DEBUGADD(11,("%s\n", s)); + TALLOC_FREE(s); + } + if (ads->server.ldap_server && ads_try_connect(ads, ads->server.ldap_server)) { goto got_connection; @@ -401,7 +408,8 @@ ADS_STATUS ads_connect(ADS_STRUCT *ads) goto got_connection; } - return ADS_ERROR_NT(ntstatus); + status = ADS_ERROR_NT(ntstatus); + goto out; got_connection: @@ -438,12 +446,14 @@ got_connection: /* If the caller() requested no LDAP bind, then we are done */ if (ads->auth.flags & ADS_AUTH_NO_BIND) { - return ADS_SUCCESS; + status = ADS_SUCCESS; + goto out; } ads->ldap.mem_ctx = talloc_init("ads LDAP connection memory"); if (!ads->ldap.mem_ctx) { - return ADS_ERROR_NT(NT_STATUS_NO_MEMORY); + status = ADS_ERROR_NT(NT_STATUS_NO_MEMORY); + goto out; } /* Otherwise setup the TCP LDAP session */ @@ -451,7 +461,8 @@ got_connection: ads->ldap.ld = ldap_open_with_timeout(ads->config.ldap_server_name, LDAP_PORT, lp_ldap_timeout()); if (ads->ldap.ld == NULL) { - return ADS_ERROR(LDAP_OPERATIONS_ERROR); + status = ADS_ERROR(LDAP_OPERATIONS_ERROR); + goto out; } DEBUG(3,("Connected to LDAP server %s\n", ads->config.ldap_server_name)); @@ -466,27 +477,40 @@ got_connection: status = ADS_ERROR(smb_ldap_start_tls(ads->ldap.ld, version)); if (!ADS_ERR_OK(status)) { - return status; + goto out; } /* fill in the current time and offsets */ status = ads_current_time( ads ); if ( !ADS_ERR_OK(status) ) { - return status; + goto out; } /* Now do the bind */ if (ads->auth.flags & ADS_AUTH_ANON_BIND) { - return ADS_ERROR(ldap_simple_bind_s( ads->ldap.ld, NULL, NULL)); + status = ADS_ERROR(ldap_simple_bind_s(ads->ldap.ld, NULL, NULL)); + goto out; } if (ads->auth.flags & ADS_AUTH_SIMPLE_BIND) { - return ADS_ERROR(ldap_simple_bind_s( ads->ldap.ld, ads->auth.user_name, ads->auth.password)); + status = ADS_ERROR(ldap_simple_bind_s(ads->ldap.ld, ads->auth.user_name, ads->auth.password)); + goto out; + } + + status = ads_sasl_bind(ads); + + out: + if (DEBUGLEVEL >= 11) { + char *s = NDR_PRINT_STRUCT_STRING(talloc_tos(), ads_struct, ads); + DEBUG(11,("ads_connect: leaving with: %s\n", + ads_errstr(status))); + DEBUGADD(11,("%s\n", s)); + TALLOC_FREE(s); } - return ads_sasl_bind(ads); + return status; } /** -- cgit