From ef2e26c91b80556af033d3335e55f5dfa6fff31d Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Wed, 13 Aug 2003 01:53:07 +0000 Subject: first public release of samba4 code (This used to be commit b0510b5428b3461aeb9bbe3cc95f62fc73e2b97f) --- source4/libads/.cvsignore | 2 + source4/libads/ads_ldap.c | 155 +++ source4/libads/ads_status.c | 133 +++ source4/libads/ads_struct.c | 141 +++ source4/libads/ads_utils.c | 181 ++++ source4/libads/disp_sec.c | 159 +++ source4/libads/kerberos.c | 140 +++ source4/libads/kerberos_verify.c | 173 ++++ source4/libads/krb5_setpw.c | 701 +++++++++++++ source4/libads/ldap.c | 2098 ++++++++++++++++++++++++++++++++++++++ source4/libads/ldap_printer.c | 341 +++++++ source4/libads/ldap_user.c | 119 +++ source4/libads/ldap_utils.c | 96 ++ source4/libads/sasl.c | 427 ++++++++ source4/libads/util.c | 60 ++ 15 files changed, 4926 insertions(+) create mode 100644 source4/libads/.cvsignore create mode 100644 source4/libads/ads_ldap.c create mode 100644 source4/libads/ads_status.c create mode 100644 source4/libads/ads_struct.c create mode 100644 source4/libads/ads_utils.c create mode 100644 source4/libads/disp_sec.c create mode 100644 source4/libads/kerberos.c create mode 100644 source4/libads/kerberos_verify.c create mode 100644 source4/libads/krb5_setpw.c create mode 100644 source4/libads/ldap.c create mode 100644 source4/libads/ldap_printer.c create mode 100644 source4/libads/ldap_user.c create mode 100644 source4/libads/ldap_utils.c create mode 100644 source4/libads/sasl.c create mode 100644 source4/libads/util.c (limited to 'source4/libads') diff --git a/source4/libads/.cvsignore b/source4/libads/.cvsignore new file mode 100644 index 0000000000..5f2a5c4cf7 --- /dev/null +++ b/source4/libads/.cvsignore @@ -0,0 +1,2 @@ +*.po +*.po32 diff --git a/source4/libads/ads_ldap.c b/source4/libads/ads_ldap.c new file mode 100644 index 0000000000..97f12de0f7 --- /dev/null +++ b/source4/libads/ads_ldap.c @@ -0,0 +1,155 @@ +/* + Unix SMB/CIFS implementation. + + Winbind ADS backend functions + + Copyright (C) Andrew Tridgell 2001 + Copyright (C) Andrew Bartlett 2002 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +*/ + +#include "includes.h" +#ifdef HAVE_LDAP + +/* convert a single name to a sid in a domain */ +NTSTATUS ads_name_to_sid(ADS_STRUCT *ads, + const char *name, + DOM_SID *sid, + enum SID_NAME_USE *type) +{ + const char *attrs[] = {"objectSid", "sAMAccountType", NULL}; + int count; + ADS_STATUS rc; + void *res = NULL; + char *exp; + uint32 t; + NTSTATUS status = NT_STATUS_UNSUCCESSFUL; + char *escaped_name = escape_ldap_string_alloc(name); + char *escaped_realm = escape_ldap_string_alloc(ads->config.realm); + + if (!escaped_name || !escaped_realm) { + status = NT_STATUS_NO_MEMORY; + goto done; + } + + if (asprintf(&exp, "(|(sAMAccountName=%s)(userPrincipalName=%s@%s))", + escaped_name, escaped_name, escaped_realm) == -1) { + DEBUG(1,("ads_name_to_sid: asprintf failed!\n")); + status = NT_STATUS_NO_MEMORY; + goto done; + } + + rc = ads_search_retry(ads, &res, exp, attrs); + free(exp); + if (!ADS_ERR_OK(rc)) { + DEBUG(1,("name_to_sid ads_search: %s\n", ads_errstr(rc))); + goto done; + } + + count = ads_count_replies(ads, res); + if (count != 1) { + DEBUG(1,("name_to_sid: %s not found\n", name)); + goto done; + } + + if (!ads_pull_sid(ads, res, "objectSid", sid)) { + DEBUG(1,("No sid for %s !?\n", name)); + goto done; + } + + if (!ads_pull_uint32(ads, res, "sAMAccountType", &t)) { + DEBUG(1,("No sAMAccountType for %s !?\n", name)); + goto done; + } + + *type = ads_atype_map(t); + + status = NT_STATUS_OK; + + DEBUG(3,("ads name_to_sid mapped %s\n", name)); + +done: + if (res) ads_msgfree(ads, res); + + SAFE_FREE(escaped_name); + SAFE_FREE(escaped_realm); + + return status; +} + +/* convert a sid to a user or group name */ +NTSTATUS ads_sid_to_name(ADS_STRUCT *ads, + TALLOC_CTX *mem_ctx, + const DOM_SID *sid, + char **name, + enum SID_NAME_USE *type) +{ + const char *attrs[] = {"userPrincipalName", + "sAMAccountName", + "sAMAccountType", NULL}; + ADS_STATUS rc; + void *msg = NULL; + char *exp = NULL; + char *sidstr = NULL; + uint32 atype; + NTSTATUS status = NT_STATUS_UNSUCCESSFUL; + + if (!(sidstr = sid_binstring(sid))) { + DEBUG(1,("ads_sid_to_name: sid_binstring failed!\n")); + status = NT_STATUS_NO_MEMORY; + goto done; + } + + if (asprintf(&exp, "(objectSid=%s)", sidstr) == -1) { + DEBUG(1,("ads_sid_to_name: asprintf failed!\n")); + status = NT_STATUS_NO_MEMORY; + goto done; + } + + rc = ads_search_retry(ads, &msg, exp, attrs); + if (!ADS_ERR_OK(rc)) { + status = ads_ntstatus(rc); + DEBUG(1,("ads_sid_to_name ads_search: %s\n", ads_errstr(rc))); + goto done; + } + + if (!ads_pull_uint32(ads, msg, "sAMAccountType", &atype)) { + goto done; + } + + *name = ads_pull_username(ads, mem_ctx, msg); + if (!*name) { + DEBUG(1,("ads_sid_to_name: ads_pull_username retuned NULL!\n")); + status = NT_STATUS_NO_MEMORY; + goto done; + } + + *type = ads_atype_map(atype); + + status = NT_STATUS_OK; + + DEBUG(3,("ads sid_to_name mapped %s\n", *name)); + +done: + if (msg) ads_msgfree(ads, msg); + + SAFE_FREE(exp); + SAFE_FREE(sidstr); + + return status; +} + +#endif diff --git a/source4/libads/ads_status.c b/source4/libads/ads_status.c new file mode 100644 index 0000000000..80fdb99eac --- /dev/null +++ b/source4/libads/ads_status.c @@ -0,0 +1,133 @@ +/* + Unix SMB/CIFS implementation. + ads (active directory) utility library + Copyright (C) Andrew Tridgell 2001 + Copyright (C) Remus Koos 2001 + Copyright (C) Andrew Bartlett 2001 + + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +*/ + +#include "includes.h" + +/* + build a ADS_STATUS structure +*/ +ADS_STATUS ads_build_error(enum ads_error_type etype, + int rc, int minor_status) +{ + ADS_STATUS ret; + + if (etype == ADS_ERROR_NT) { + DEBUG(0,("don't use ads_build_error with ADS_ERROR_NT!\n")); + ret.err.rc = -1; + ret.error_type = ADS_ERROR_SYSTEM; + ret.minor_status = 0; + return ret; + } + + ret.err.rc = rc; + ret.error_type = etype; + ret.minor_status = minor_status; + return ret; +} + +ADS_STATUS ads_build_nt_error(enum ads_error_type etype, + NTSTATUS nt_status) +{ + ADS_STATUS ret; + + if (etype != ADS_ERROR_NT) { + DEBUG(0,("don't use ads_build_nt_error without ADS_ERROR_NT!\n")); + ret.err.rc = -1; + ret.error_type = ADS_ERROR_SYSTEM; + ret.minor_status = 0; + return ret; + } + ret.err.nt_status = nt_status; + ret.error_type = etype; + ret.minor_status = 0; + return ret; +} + +/* + do a rough conversion between ads error codes and NT status codes + we'll need to fill this in more +*/ +NTSTATUS ads_ntstatus(ADS_STATUS status) +{ + if (status.error_type == ADS_ERROR_NT){ + return status.err.nt_status; + } +#ifdef HAVE_LDAP + if ((status.error_type == ADS_ERROR_LDAP) + && (status.err.rc == LDAP_NO_MEMORY)) { + return NT_STATUS_NO_MEMORY; + } +#endif + if (ADS_ERR_OK(status)) return NT_STATUS_OK; + return NT_STATUS_UNSUCCESSFUL; +} + +/* + return a string for an error from a ads routine +*/ +const char *ads_errstr(ADS_STATUS status) +{ + int msg_ctx; + static char *ret; + + SAFE_FREE(ret); + msg_ctx = 0; + + switch (status.error_type) { + case ADS_ERROR_SYSTEM: + return strerror(status.err.rc); +#ifdef HAVE_LDAP + case ADS_ERROR_LDAP: + return ldap_err2string(status.err.rc); +#endif +#ifdef HAVE_KRB5 + case ADS_ERROR_KRB5: + return error_message(status.err.rc); +#endif +#ifdef HAVE_GSSAPI + case ADS_ERROR_GSS: + { + uint32 minor; + + gss_buffer_desc msg1, msg2; + msg1.value = NULL; + msg2.value = NULL; + gss_display_status(&minor, status.err.rc, GSS_C_GSS_CODE, + GSS_C_NULL_OID, &msg_ctx, &msg1); + gss_display_status(&minor, status.minor_status, GSS_C_MECH_CODE, + GSS_C_NULL_OID, &msg_ctx, &msg2); + asprintf(&ret, "%s : %s", (char *)msg1.value, (char *)msg2.value); + gss_release_buffer(&minor, &msg1); + gss_release_buffer(&minor, &msg2); + return ret; + } +#endif + case ADS_ERROR_NT: + return nt_errstr(ads_ntstatus(status)); + default: + return "Unknown ADS error type!? (not compiled in?)"; + } + +} + + diff --git a/source4/libads/ads_struct.c b/source4/libads/ads_struct.c new file mode 100644 index 0000000000..652bfe31be --- /dev/null +++ b/source4/libads/ads_struct.c @@ -0,0 +1,141 @@ +/* + Unix SMB/CIFS implementation. + ads (active directory) utility library + Copyright (C) Andrew Tridgell 2001 + Copyright (C) Andrew Bartlett 2001 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +*/ + +#include "includes.h" + +/* return a ldap dn path from a string, given separators and field name + caller must free +*/ +char *ads_build_path(const char *realm, const char *sep, const char *field, int reverse) +{ + char *p, *r; + int numbits = 0; + char *ret; + int len; + + r = strdup(realm); + + if (!r || !*r) + return r; + + for (p=r; *p; p++) + if (strchr(sep, *p)) + numbits++; + + len = (numbits+1)*(strlen(field)+1) + strlen(r) + 1; + + ret = malloc(len); + if (!ret) + return NULL; + + strlcpy(ret,field, len); + p=strtok(r,sep); + strlcat(ret, p, len); + + while ((p=strtok(NULL,sep))) { + char *s; + if (reverse) + asprintf(&s, "%s%s,%s", field, p, ret); + else + asprintf(&s, "%s,%s%s", ret, field, p); + free(ret); + ret = s; + } + + free(r); + return ret; +} + +/* return a dn of the form "dc=AA,dc=BB,dc=CC" from a + realm of the form AA.BB.CC + caller must free +*/ +char *ads_build_dn(const char *realm) +{ + return ads_build_path(realm, ".", "dc=", 0); +} + + +#ifndef LDAP_PORT +#define LDAP_PORT 389 +#endif + +/* + initialise a ADS_STRUCT, ready for some ads_ ops +*/ +ADS_STRUCT *ads_init(const char *realm, + const char *workgroup, + const char *ldap_server) +{ + ADS_STRUCT *ads; + + ads = (ADS_STRUCT *)smb_xmalloc(sizeof(*ads)); + ZERO_STRUCTP(ads); + + ads->server.realm = realm? strdup(realm) : NULL; + ads->server.workgroup = workgroup ? strdup(workgroup) : NULL; + ads->server.ldap_server = ldap_server? strdup(ldap_server) : NULL; + + /* we need to know if this is a foreign realm to know if we can + use lp_ads_server() */ + if (realm && *realm && strcasecmp(lp_realm(), realm) != 0) { + ads->server.foreign = 1; + } + if (workgroup && *workgroup && strcasecmp(lp_workgroup(), workgroup) != 0) { + ads->server.foreign = 1; + } + + return ads; +} + +/* a simpler ads_init() interface using all defaults */ +ADS_STRUCT *ads_init_simple(void) +{ + return ads_init(NULL, NULL, NULL); +} + +/* + free the memory used by the ADS structure initialized with 'ads_init(...)' +*/ +void ads_destroy(ADS_STRUCT **ads) +{ + if (ads && *ads) { +#if HAVE_LDAP + if ((*ads)->ld) ldap_unbind((*ads)->ld); +#endif + SAFE_FREE((*ads)->server.realm); + SAFE_FREE((*ads)->server.workgroup); + SAFE_FREE((*ads)->server.ldap_server); + SAFE_FREE((*ads)->server.ldap_uri); + + SAFE_FREE((*ads)->auth.realm); + SAFE_FREE((*ads)->auth.password); + SAFE_FREE((*ads)->auth.user_name); + SAFE_FREE((*ads)->auth.kdc_server); + + SAFE_FREE((*ads)->config.realm); + SAFE_FREE((*ads)->config.bind_path); + SAFE_FREE((*ads)->config.ldap_server_name); + + ZERO_STRUCTP(*ads); + SAFE_FREE(*ads); + } +} diff --git a/source4/libads/ads_utils.c b/source4/libads/ads_utils.c new file mode 100644 index 0000000000..626c177926 --- /dev/null +++ b/source4/libads/ads_utils.c @@ -0,0 +1,181 @@ +/* + Unix SMB/CIFS implementation. + ads (active directory) utility library + + Copyright (C) Stefan (metze) Metzmacher 2002 + Copyright (C) Andrew Tridgell 2001 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +*/ + +#include "includes.h" + +/* +translated the ACB_CTRL Flags to UserFlags (userAccountControl) +*/ +uint32 ads_acb2uf(uint16 acb) +{ + uint32 uf = 0x00000000; + + if (acb & ACB_DISABLED) uf |= UF_ACCOUNTDISABLE; + if (acb & ACB_HOMDIRREQ) uf |= UF_HOMEDIR_REQUIRED; + if (acb & ACB_PWNOTREQ) uf |= UF_PASSWD_NOTREQD; + if (acb & ACB_TEMPDUP) uf |= UF_TEMP_DUPLICATE_ACCOUNT; + if (acb & ACB_NORMAL) uf |= UF_NORMAL_ACCOUNT; + if (acb & ACB_MNS) uf |= UF_MNS_LOGON_ACCOUNT; + if (acb & ACB_DOMTRUST) uf |= UF_INTERDOMAIN_TRUST_ACCOUNT; + if (acb & ACB_WSTRUST) uf |= UF_WORKSTATION_TRUST_ACCOUNT; + if (acb & ACB_SVRTRUST) uf |= UF_SERVER_TRUST_ACCOUNT; + if (acb & ACB_PWNOEXP) uf |= UF_DONT_EXPIRE_PASSWD; + if (acb & ACB_AUTOLOCK) uf |= UF_LOCKOUT; + + return uf; +} + +/* +translated the UserFlags (userAccountControl) to ACB_CTRL Flags +*/ +uint16 ads_uf2acb(uint32 uf) +{ + uint16 acb = 0x0000; + + if (uf & UF_ACCOUNTDISABLE) acb |= ACB_DISABLED; + if (uf & UF_HOMEDIR_REQUIRED) acb |= ACB_HOMDIRREQ; + if (uf & UF_PASSWD_NOTREQD) acb |= ACB_PWNOTREQ; + if (uf & UF_MNS_LOGON_ACCOUNT) acb |= ACB_MNS; + if (uf & UF_DONT_EXPIRE_PASSWD) acb |= ACB_PWNOEXP; + if (uf & UF_LOCKOUT) acb |= ACB_AUTOLOCK; + + switch (uf & UF_ACCOUNT_TYPE_MASK) + { + case UF_TEMP_DUPLICATE_ACCOUNT: acb |= ACB_TEMPDUP;break; + case UF_NORMAL_ACCOUNT: acb |= ACB_NORMAL;break; + case UF_INTERDOMAIN_TRUST_ACCOUNT: acb |= ACB_DOMTRUST;break; + case UF_WORKSTATION_TRUST_ACCOUNT: acb |= ACB_WSTRUST;break; + case UF_SERVER_TRUST_ACCOUNT: acb |= ACB_SVRTRUST;break; + /*Fix Me: what should we do here? */ + default: acb |= ACB_NORMAL;break; + } + + return acb; +} + +/* +get the accountType from the UserFlags +*/ +uint32 ads_uf2atype(uint32 uf) +{ + uint32 atype = 0x00000000; + + if (uf & UF_NORMAL_ACCOUNT) atype = ATYPE_NORMAL_ACCOUNT; + else if (uf & UF_TEMP_DUPLICATE_ACCOUNT) atype = ATYPE_NORMAL_ACCOUNT; + else if (uf & UF_SERVER_TRUST_ACCOUNT) atype = ATYPE_WORKSTATION_TRUST; + else if (uf & UF_WORKSTATION_TRUST_ACCOUNT) atype = ATYPE_WORKSTATION_TRUST; + else if (uf & UF_INTERDOMAIN_TRUST_ACCOUNT) atype = ATYPE_INTERDOMAIN_TRUST; + + return atype; +} + +/* +translated the GROUP_CTRL Flags to GroupType (groupType) +*/ +uint32 ads_gcb2gtype(uint16 gcb) +{ + uint32 gtype = 0x00000000; + + if (gcb & GCB_ALIAS_GROUP) gtype |= GTYPE_SECURITY_BUILTIN_LOCAL_GROUP; + else if(gcb & GCB_LOCAL_GROUP) gtype |= GTYPE_SECURITY_DOMAIN_LOCAL_GROUP; + if (gcb & GCB_GLOBAL_GROUP) gtype |= GTYPE_SECURITY_GLOBAL_GROUP; + + return gtype; +} + +/* +translated the GroupType (groupType) to GROUP_CTRL Flags +*/ +uint16 ads_gtype2gcb(uint32 gtype) +{ + uint16 gcb = 0x0000; + + switch(gtype) { + case GTYPE_SECURITY_BUILTIN_LOCAL_GROUP: + gcb = GCB_ALIAS_GROUP; + break; + case GTYPE_SECURITY_DOMAIN_LOCAL_GROUP: + gcb = GCB_LOCAL_GROUP; + break; + case GTYPE_SECURITY_GLOBAL_GROUP: + gcb = GCB_GLOBAL_GROUP; + break; + + case GTYPE_DISTRIBUTION_GLOBAL_GROUP: + gcb = GCB_GLOBAL_GROUP; + break; + case GTYPE_DISTRIBUTION_DOMAIN_LOCAL_GROUP: + gcb = GCB_LOCAL_GROUP; + break; + case GTYPE_DISTRIBUTION_UNIVERSAL_GROUP: + gcb = GCB_GLOBAL_GROUP; + break; + } + + return gcb; +} + +/* +get the accountType from the groupType +*/ +uint32 ads_gtype2atype(uint32 gtype) +{ + uint32 atype = 0x00000000; + + switch(gtype) { + case GTYPE_SECURITY_BUILTIN_LOCAL_GROUP: + atype = ATYPE_SECURITY_LOCAL_GROUP; + break; + case GTYPE_SECURITY_DOMAIN_LOCAL_GROUP: + atype = ATYPE_SECURITY_LOCAL_GROUP; + break; + case GTYPE_SECURITY_GLOBAL_GROUP: + atype = ATYPE_SECURITY_GLOBAL_GROUP; + break; + + case GTYPE_DISTRIBUTION_GLOBAL_GROUP: + atype = ATYPE_DISTRIBUTION_GLOBAL_GROUP; + break; + case GTYPE_DISTRIBUTION_DOMAIN_LOCAL_GROUP: + atype = ATYPE_DISTRIBUTION_UNIVERSAL_GROUP; + break; + case GTYPE_DISTRIBUTION_UNIVERSAL_GROUP: + atype = ATYPE_DISTRIBUTION_LOCAL_GROUP; + break; + } + + return atype; +} + +/* turn a sAMAccountType into a SID_NAME_USE */ +enum SID_NAME_USE ads_atype_map(uint32 atype) +{ + switch (atype & 0xF0000000) { + case ATYPE_GLOBAL_GROUP: + return SID_NAME_DOM_GRP; + case ATYPE_ACCOUNT: + return SID_NAME_USER; + default: + DEBUG(1,("hmm, need to map account type 0x%x\n", atype)); + } + return SID_NAME_UNKNOWN; +} diff --git a/source4/libads/disp_sec.c b/source4/libads/disp_sec.c new file mode 100644 index 0000000000..c9de447e69 --- /dev/null +++ b/source4/libads/disp_sec.c @@ -0,0 +1,159 @@ +/* + Unix SMB/CIFS implementation. + Samba utility functions. ADS stuff + Copyright (C) Alexey Kotovich 2002 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +*/ + +#include "includes.h" + +static struct perm_mask_str { + uint32 mask; + const char *str; +} perms[] = { + {SEC_RIGHTS_FULL_CTRL, "[Full Control]"}, + + {SEC_RIGHTS_LIST_CONTENTS, "[List Contents]"}, + {SEC_RIGHTS_LIST_OBJECT, "[List Object]"}, + + {SEC_RIGHTS_READ_ALL_PROP, "[Read All Properties]"}, + {SEC_RIGHTS_READ_PERMS, "[Read Permissions]"}, + + {SEC_RIGHTS_WRITE_ALL_VALID, "[All validate writes]"}, + {SEC_RIGHTS_WRITE_ALL_PROP, "[Write All Properties]"}, + + {SEC_RIGHTS_MODIFY_PERMS, "[Modify Permissions]"}, + {SEC_RIGHTS_MODIFY_OWNER, "[Modify Owner]"}, + + {SEC_RIGHTS_CREATE_CHILD, "[Create All Child Objects]"}, + + {SEC_RIGHTS_DELETE, "[Delete]"}, + {SEC_RIGHTS_DELETE_SUBTREE, "[Delete Subtree]"}, + {SEC_RIGHTS_DELETE_CHILD, "[Delete All Child Objects]"}, + + {SEC_RIGHTS_CHANGE_PASSWD, "[Change Password]"}, + {SEC_RIGHTS_RESET_PASSWD, "[Reset Password]"}, + {0, 0} +}; + +/* convert a security permissions into a string */ +static void ads_disp_perms(uint32 type) +{ + int i = 0; + int j = 0; + + printf("Permissions: "); + + if (type == SEC_RIGHTS_FULL_CTRL) { + printf("%s\n", perms[j].str); + return; + } + + for (i = 0; i < 32; i++) { + if (type & (1 << i)) { + for (j = 1; perms[j].str; j ++) { + if (perms[j].mask == (((unsigned) 1) << i)) { + printf("\n\t%s", perms[j].str); + } + } + type &= ~(1 << i); + } + } + + /* remaining bits get added on as-is */ + if (type != 0) { + printf("[%08x]", type); + } + puts(""); +} + +/* display ACE */ +static void ads_disp_ace(SEC_ACE *sec_ace) +{ + const char *access_type = "UNKNOWN"; + + if (!sec_ace_object(sec_ace->type)) { + printf("------- ACE (type: 0x%02x, flags: 0x%02x, size: 0x%02x, mask: 0x%x)\n", + sec_ace->type, + sec_ace->flags, + sec_ace->size, + sec_ace->info.mask); + } else { + printf("------- ACE (type: 0x%02x, flags: 0x%02x, size: 0x%02x, mask: 0x%x, object flags: 0x%x)\n", + sec_ace->type, + sec_ace->flags, + sec_ace->size, + sec_ace->info.mask, + sec_ace->obj_flags); + } + + if (sec_ace->type == SEC_ACE_TYPE_ACCESS_ALLOWED) { + access_type = "ALLOWED"; + } else if (sec_ace->type == SEC_ACE_TYPE_ACCESS_DENIED) { + access_type = "DENIED"; + } else if (sec_ace->type == SEC_ACE_TYPE_SYSTEM_AUDIT) { + access_type = "SYSTEM AUDIT"; + } else if (sec_ace->type == SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT) { + access_type = "ALLOWED OBJECT"; + } else if (sec_ace->type == SEC_ACE_TYPE_ACCESS_DENIED_OBJECT) { + access_type = "DENIED OBJECT"; + } else if (sec_ace->type == SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT) { + access_type = "AUDIT OBJECT"; + } + + printf("access SID: %s\naccess type: %s\n", + sid_string_static(&sec_ace->trustee), access_type); + + ads_disp_perms(sec_ace->info.mask); +} + +/* display ACL */ +static void ads_disp_acl(SEC_ACL *sec_acl, const char *type) +{ + if (!sec_acl) + printf("------- (%s) ACL not present\n", type); + else { + printf("------- (%s) ACL (revision: %d, size: %d, number of ACEs: %d)\n", + type, + sec_acl->revision, + sec_acl->size, + sec_acl->num_aces); + } +} + +/* display SD */ +void ads_disp_sd(SEC_DESC *sd) +{ + int i; + + printf("-------------- Security Descriptor (revision: %d, type: 0x%02x)\n", + sd->revision, + sd->type); + printf("owner SID: %s\n", sid_string_static(sd->owner_sid)); + printf("group SID: %s\n", sid_string_static(sd->grp_sid)); + + ads_disp_acl(sd->sacl, "system"); + for (i = 0; i < sd->sacl->num_aces; i ++) + ads_disp_ace(&sd->sacl->ace[i]); + + ads_disp_acl(sd->dacl, "user"); + for (i = 0; i < sd->dacl->num_aces; i ++) + ads_disp_ace(&sd->dacl->ace[i]); + + printf("-------------- End Of Security Descriptor\n"); +} + + diff --git a/source4/libads/kerberos.c b/source4/libads/kerberos.c new file mode 100644 index 0000000000..bef2febaef --- /dev/null +++ b/source4/libads/kerberos.c @@ -0,0 +1,140 @@ +/* + Unix SMB/CIFS implementation. + kerberos utility library + Copyright (C) Andrew Tridgell 2001 + Copyright (C) Remus Koos 2001 + + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +*/ + +#include "includes.h" + +#ifdef HAVE_KRB5 + +/* + we use a prompter to avoid a crash bug in the kerberos libs when + dealing with empty passwords + this prompter is just a string copy ... +*/ +static krb5_error_code +kerb_prompter(krb5_context ctx, void *data, + const char *name, + const char *banner, + int num_prompts, + krb5_prompt prompts[]) +{ + if (num_prompts == 0) return 0; + + memset(prompts[0].reply->data, 0, prompts[0].reply->length); + if (prompts[0].reply->length > 0) { + if (data) { + strncpy(prompts[0].reply->data, data, prompts[0].reply->length-1); + prompts[0].reply->length = strlen(prompts[0].reply->data); + } else { + prompts[0].reply->length = 0; + } + } + return 0; +} + +/* + simulate a kinit, putting the tgt in the default cache location + remus@snapserver.com +*/ +int kerberos_kinit_password(const char *principal, const char *password, int time_offset) +{ + krb5_context ctx; + krb5_error_code code = 0; + krb5_ccache cc; + krb5_principal me; + krb5_creds my_creds; + + if ((code = krb5_init_context(&ctx))) + return code; + + if (time_offset != 0) { + krb5_set_real_time(ctx, time(NULL) + time_offset, 0); + } + + if ((code = krb5_cc_default(ctx, &cc))) { + krb5_free_context(ctx); + return code; + } + + if ((code = krb5_parse_name(ctx, principal, &me))) { + krb5_free_context(ctx); + return code; + } + + if ((code = krb5_get_init_creds_password(ctx, &my_creds, me, NULL, + kerb_prompter, + password, 0, NULL, NULL))) { + krb5_free_principal(ctx, me); + krb5_free_context(ctx); + return code; + } + + if ((code = krb5_cc_initialize(ctx, cc, me))) { + krb5_free_cred_contents(ctx, &my_creds); + krb5_free_principal(ctx, me); + krb5_free_context(ctx); + return code; + } + + if ((code = krb5_cc_store_cred(ctx, cc, &my_creds))) { + krb5_cc_close(ctx, cc); + krb5_free_cred_contents(ctx, &my_creds); + krb5_free_principal(ctx, me); + krb5_free_context(ctx); + return code; + } + + krb5_cc_close(ctx, cc); + krb5_free_cred_contents(ctx, &my_creds); + krb5_free_principal(ctx, me); + krb5_free_context(ctx); + + return 0; +} + + + +/* run kinit to setup our ccache */ +int ads_kinit_password(ADS_STRUCT *ads) +{ + char *s; + int ret; + + if (asprintf(&s, "%s@%s", ads->auth.user_name, ads->auth.realm) == -1) { + return KRB5_CC_NOMEM; + } + + if (!ads->auth.password) { + return KRB5_LIBOS_CANTREADPWD; + } + + ret = kerberos_kinit_password(s, ads->auth.password, ads->auth.time_offset); + + if (ret) { + DEBUG(0,("kerberos_kinit_password %s failed: %s\n", + s, error_message(ret))); + } + free(s); + return ret; +} + + +#endif diff --git a/source4/libads/kerberos_verify.c b/source4/libads/kerberos_verify.c new file mode 100644 index 0000000000..9367f53539 --- /dev/null +++ b/source4/libads/kerberos_verify.c @@ -0,0 +1,173 @@ +/* + Unix SMB/CIFS implementation. + kerberos utility library + Copyright (C) Andrew Tridgell 2001 + Copyright (C) Remus Koos 2001 + Copyright (C) Luke Howard 2003 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +*/ + +#include "includes.h" + +#ifdef HAVE_KRB5 + +/* + verify an incoming ticket and parse out the principal name and + authorization_data if available +*/ +NTSTATUS ads_verify_ticket(ADS_STRUCT *ads, const DATA_BLOB *ticket, + char **principal, DATA_BLOB *auth_data, + DATA_BLOB *ap_rep, + uint8 session_key[16]) +{ + krb5_context context; + krb5_auth_context auth_context = NULL; + krb5_keytab keytab = NULL; + krb5_data packet; + krb5_ticket *tkt = NULL; + int ret, i; + krb5_keyblock * key; + krb5_principal host_princ; + char *host_princ_s; + fstring myname; + char *password_s; + krb5_data password; + krb5_enctype *enctypes = NULL; + BOOL auth_ok = False; + + if (!secrets_init()) { + DEBUG(1,("secrets_init failed\n")); + return NT_STATUS_LOGON_FAILURE; + } + + password_s = secrets_fetch_machine_password(); + if (!password_s) { + DEBUG(1,("failed to fetch machine password\n")); + return NT_STATUS_LOGON_FAILURE; + } + + password.data = password_s; + password.length = strlen(password_s); + + ret = krb5_init_context(&context); + if (ret) { + DEBUG(1,("krb5_init_context failed (%s)\n", error_message(ret))); + return NT_STATUS_LOGON_FAILURE; + } + + ret = krb5_set_default_realm(context, ads->auth.realm); + if (ret) { + DEBUG(1,("krb5_set_default_realm failed (%s)\n", error_message(ret))); + return NT_STATUS_LOGON_FAILURE; + } + + /* this whole process is far more complex than I would + like. We have to go through all this to allow us to store + the secret internally, instead of using /etc/krb5.keytab */ + ret = krb5_auth_con_init(context, &auth_context); + if (ret) { + DEBUG(1,("krb5_auth_con_init failed (%s)\n", error_message(ret))); + return NT_STATUS_LOGON_FAILURE; + } + + fstrcpy(myname, lp_netbios_name()); + strlower(myname); + asprintf(&host_princ_s, "HOST/%s@%s", myname, lp_realm()); + ret = krb5_parse_name(context, host_princ_s, &host_princ); + if (ret) { + DEBUG(1,("krb5_parse_name(%s) failed (%s)\n", host_princ_s, error_message(ret))); + return NT_STATUS_LOGON_FAILURE; + } + + if (!(key = (krb5_keyblock *)malloc(sizeof(*key)))) { + return NT_STATUS_NO_MEMORY; + } + + if ((ret = get_kerberos_allowed_etypes(context, &enctypes))) { + DEBUG(1,("krb5_get_permitted_enctypes failed (%s)\n", + error_message(ret))); + return NT_STATUS_LOGON_FAILURE; + } + + /* we need to setup a auth context with each possible encoding type in turn */ + for (i=0;enctypes[i];i++) { + if (create_kerberos_key_from_string(context, host_princ, &password, key, enctypes[i])) { + continue; + } + + krb5_auth_con_setuseruserkey(context, auth_context, key); + + packet.length = ticket->length; + packet.data = (krb5_pointer)ticket->data; + + if (!(ret = krb5_rd_req(context, &auth_context, &packet, + NULL, keytab, NULL, &tkt))) { + free_kerberos_etypes(context, enctypes); + auth_ok = True; + break; + } + } + + if (!auth_ok) { + DEBUG(3,("krb5_rd_req with auth failed (%s)\n", + error_message(ret))); + return NT_STATUS_LOGON_FAILURE; + } + + ret = krb5_mk_rep(context, auth_context, &packet); + if (ret) { + DEBUG(3,("Failed to generate mutual authentication reply (%s)\n", + error_message(ret))); + krb5_auth_con_free(context, auth_context); + return NT_STATUS_LOGON_FAILURE; + } + + *ap_rep = data_blob(packet.data, packet.length); + free(packet.data); + + krb5_get_smb_session_key(context, auth_context, session_key); + DEBUG(0,("SMB session key (from ticket) follows:\n")); + dump_data(0, session_key, 16); + +#if 0 + file_save("/tmp/ticket.dat", ticket->data, ticket->length); +#endif + + get_auth_data_from_tkt(auth_data, tkt); + +#if 0 + if (tkt->enc_part2) { + file_save("/tmp/authdata.dat", + tkt->enc_part2->authorization_data[0]->contents, + tkt->enc_part2->authorization_data[0]->length); +#endif + + if ((ret = krb5_unparse_name(context, get_principal_from_tkt(tkt), + principal))) { + DEBUG(3,("krb5_unparse_name failed (%s)\n", + error_message(ret))); + data_blob_free(auth_data); + data_blob_free(ap_rep); + krb5_auth_con_free(context, auth_context); + return NT_STATUS_LOGON_FAILURE; + } + + krb5_auth_con_free(context, auth_context); + + return NT_STATUS_OK; +} + +#endif /* HAVE_KRB5 */ diff --git a/source4/libads/krb5_setpw.c b/source4/libads/krb5_setpw.c new file mode 100644 index 0000000000..9d8fb8d24c --- /dev/null +++ b/source4/libads/krb5_setpw.c @@ -0,0 +1,701 @@ +/* + Unix SMB/CIFS implementation. + krb5 set password implementation + Copyright (C) Andrew Tridgell 2001 + Copyright (C) Remus Koos 2001 (remuskoos@yahoo.com) + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +*/ + +#include "includes.h" + +#ifdef HAVE_KRB5 + +#define DEFAULT_KPASSWD_PORT 464 +#define KRB5_KPASSWD_VERS_CHANGEPW 1 +#define KRB5_KPASSWD_VERS_SETPW 2 +#define KRB5_KPASSWD_VERS_SETPW_MS 0xff80 +#define KRB5_KPASSWD_ACCESSDENIED 5 +#define KRB5_KPASSWD_BAD_VERSION 6 +#define KRB5_KPASSWD_INITIAL_FLAG_NEEDED 7 + +/* Those are defined by kerberos-set-passwd-02.txt and are probably + * not supported by M$ implementation */ +#define KRB5_KPASSWD_POLICY_REJECT 8 +#define KRB5_KPASSWD_BAD_PRINCIPAL 9 +#define KRB5_KPASSWD_ETYPE_NOSUPP 10 + +/* This implements kerberos password change protocol as specified in + * kerb-chg-password-02.txt and kerberos-set-passwd-02.txt + * as well as microsoft version of the protocol + * as specified in kerberos-set-passwd-00.txt + */ +static DATA_BLOB encode_krb5_setpw(const char *principal, const char *password) +{ + char* princ_part1 = NULL; + char* princ_part2 = NULL; + char* realm = NULL; + char* c; + char* princ; + + ASN1_DATA req; + DATA_BLOB ret; + + + princ = strdup(principal); + + if ((c = strchr(princ, '/')) == NULL) { + c = princ; + } else { + *c = '\0'; + c++; + princ_part1 = princ; + } + + princ_part2 = c; + + if ((c = strchr(c, '@')) != NULL) { + *c = '\0'; + c++; + realm = c; + } + + memset(&req, 0, sizeof(req)); + + asn1_push_tag(&req, ASN1_SEQUENCE(0)); + asn1_push_tag(&req, ASN1_CONTEXT(0)); + asn1_write_OctetString(&req, password, strlen(password)); + asn1_pop_tag(&req); + + asn1_push_tag(&req, ASN1_CONTEXT(1)); + asn1_push_tag(&req, ASN1_SEQUENCE(0)); + + asn1_push_tag(&req, ASN1_CONTEXT(0)); + asn1_write_Integer(&req, 1); + asn1_pop_tag(&req); + + asn1_push_tag(&req, ASN1_CONTEXT(1)); + asn1_push_tag(&req, ASN1_SEQUENCE(0)); + + if (princ_part1) + asn1_write_GeneralString(&req, princ_part1); + + asn1_write_GeneralString(&req, princ_part2); + asn1_pop_tag(&req); + asn1_pop_tag(&req); + asn1_pop_tag(&req); + asn1_pop_tag(&req); + + asn1_push_tag(&req, ASN1_CONTEXT(2)); + asn1_write_GeneralString(&req, realm); + asn1_pop_tag(&req); + asn1_pop_tag(&req); + + ret = data_blob(req.data, req.length); + asn1_free(&req); + + free(princ); + + return ret; +} + +static krb5_error_code build_kpasswd_request(uint16 pversion, + krb5_context context, + krb5_auth_context auth_context, + krb5_data *ap_req, + const char *princ, + const char *passwd, + krb5_data *packet) +{ + krb5_error_code ret; + krb5_data cipherpw; + krb5_data encoded_setpw; + krb5_replay_data replay; + char *p; + DATA_BLOB setpw; + + ret = krb5_auth_con_setflags(context, + auth_context,KRB5_AUTH_CONTEXT_DO_SEQUENCE); + if (ret) { + DEBUG(1,("krb5_auth_con_setflags failed (%s)\n", + error_message(ret))); + return ret; + } + + /* handle protocol differences in chpw and setpw */ + if (pversion == KRB5_KPASSWD_VERS_CHANGEPW) + setpw = data_blob(passwd, strlen(passwd)); + else if (pversion == KRB5_KPASSWD_VERS_SETPW || + pversion == KRB5_KPASSWD_VERS_SETPW_MS) + setpw = encode_krb5_setpw(princ, passwd); + else + return EINVAL; + + encoded_setpw.data = setpw.data; + encoded_setpw.length = setpw.length; + + ret = krb5_mk_priv(context, auth_context, + &encoded_setpw, &cipherpw, &replay); + + data_blob_free(&setpw); /*from 'encode_krb5_setpw(...)' */ + + if (ret) { + DEBUG(1,("krb5_mk_priv failed (%s)\n", error_message(ret))); + return ret; + } + + packet->data = (char *)malloc(ap_req->length + cipherpw.length + 6); + if (!packet->data) + return -1; + + /* see the RFC for details */ + p = ((char *)packet->data) + 2; + RSSVAL(p, 0, pversion); + p += 2; + RSSVAL(p, 0, ap_req->length); + p += 2; + memcpy(p, ap_req->data, ap_req->length); + p += ap_req->length; + memcpy(p, cipherpw.data, cipherpw.length); + p += cipherpw.length; + packet->length = PTR_DIFF(p,packet->data); + RSSVAL(packet->data, 0, packet->length); + + free(cipherpw.data); /* from 'krb5_mk_priv(...)' */ + + return 0; +} + +static krb5_error_code krb5_setpw_result_code_string(krb5_context context, + int result_code, + char **code_string) +{ + switch (result_code) { + case KRB5_KPASSWD_MALFORMED: + *code_string = "Malformed request error"; + break; + case KRB5_KPASSWD_HARDERROR: + *code_string = "Server error"; + break; + case KRB5_KPASSWD_AUTHERROR: + *code_string = "Authentication error"; + break; + case KRB5_KPASSWD_SOFTERROR: + *code_string = "Password change rejected"; + break; + case KRB5_KPASSWD_ACCESSDENIED: + *code_string = "Client does not have proper authorization"; + break; + case KRB5_KPASSWD_BAD_VERSION: + *code_string = "Protocol version not supported"; + break; + case KRB5_KPASSWD_INITIAL_FLAG_NEEDED: + *code_string = "Authorization ticket must have initial flag set"; + break; + case KRB5_KPASSWD_POLICY_REJECT: + *code_string = "Password rejected due to policy requirements"; + break; + case KRB5_KPASSWD_BAD_PRINCIPAL: + *code_string = "Target principal does not exist"; + break; + case KRB5_KPASSWD_ETYPE_NOSUPP: + *code_string = "Unsupported encryption type"; + break; + default: + *code_string = "Password change failed"; + break; + } + + return(0); +} + +static krb5_error_code parse_setpw_reply(krb5_context context, + krb5_auth_context auth_context, + krb5_data *packet) +{ + krb5_data ap_rep; + char *p; + int vnum, ret, res_code; + krb5_data cipherresult; + krb5_data clearresult; + krb5_ap_rep_enc_part *ap_rep_enc; + krb5_replay_data replay; + + if (packet->length < 4) { + return KRB5KRB_AP_ERR_MODIFIED; + } + + p = packet->data; + + if (((char *)packet->data)[0] == 0x7e || ((char *)packet->data)[0] == 0x5e) { + /* it's an error packet. We should parse it ... */ + DEBUG(1,("Got error packet 0x%x from kpasswd server\n", + ((char *)packet->data)[0])); + return KRB5KRB_AP_ERR_MODIFIED; + } + + if (RSVAL(p, 0) != packet->length) { + DEBUG(1,("Bad packet length (%d/%d) from kpasswd server\n", + RSVAL(p, 0), packet->length)); + return KRB5KRB_AP_ERR_MODIFIED; + } + + p += 2; + + vnum = RSVAL(p, 0); p += 2; + + /* FIXME: According to standard there is only one type of reply */ + if (vnum != KRB5_KPASSWD_VERS_SETPW && + vnum != KRB5_KPASSWD_VERS_SETPW_MS && + vnum != KRB5_KPASSWD_VERS_CHANGEPW) { + DEBUG(1,("Bad vnum (%d) from kpasswd server\n", vnum)); + return KRB5KDC_ERR_BAD_PVNO; + } + + ap_rep.length = RSVAL(p, 0); p += 2; + + if (p + ap_rep.length >= (char *)packet->data + packet->length) { + DEBUG(1,("ptr beyond end of packet from kpasswd server\n")); + return KRB5KRB_AP_ERR_MODIFIED; + } + + if (ap_rep.length == 0) { + DEBUG(1,("got unencrypted setpw result?!\n")); + return KRB5KRB_AP_ERR_MODIFIED; + } + + /* verify ap_rep */ + ap_rep.data = p; + p += ap_rep.length; + + ret = krb5_rd_rep(context, auth_context, &ap_rep, &ap_rep_enc); + if (ret) { + DEBUG(1,("failed to rd setpw reply (%s)\n", error_message(ret))); + return KRB5KRB_AP_ERR_MODIFIED; + } + + krb5_free_ap_rep_enc_part(context, ap_rep_enc); + + cipherresult.data = p; + cipherresult.length = ((char *)packet->data + packet->length) - p; + + ret = krb5_rd_priv(context, auth_context, &cipherresult, &clearresult, + &replay); + if (ret) { + DEBUG(1,("failed to decrypt setpw reply (%s)\n", error_message(ret))); + return KRB5KRB_AP_ERR_MODIFIED; + } + + if (clearresult.length < 2) { + free(clearresult.data); + ret = KRB5KRB_AP_ERR_MODIFIED; + return KRB5KRB_AP_ERR_MODIFIED; + } + + p = clearresult.data; + + res_code = RSVAL(p, 0); + + free(clearresult.data); + + if ((res_code < KRB5_KPASSWD_SUCCESS) || + (res_code > KRB5_KPASSWD_ETYPE_NOSUPP)) { + return KRB5KRB_AP_ERR_MODIFIED; + } + + if(res_code == KRB5_KPASSWD_SUCCESS) + return 0; + else { + char *errstr; + krb5_setpw_result_code_string(context, res_code, &errstr); + DEBUG(1, ("Error changing password: %s\n", errstr)); + + switch(res_code) { + case KRB5_KPASSWD_ACCESSDENIED: + return KRB5KDC_ERR_BADOPTION; + break; + case KRB5_KPASSWD_INITIAL_FLAG_NEEDED: + return KRB5KDC_ERR_BADOPTION; + /* return KV5M_ALT_METHOD; MIT-only define */ + break; + case KRB5_KPASSWD_ETYPE_NOSUPP: + return KRB5KDC_ERR_ETYPE_NOSUPP; + break; + case KRB5_KPASSWD_BAD_PRINCIPAL: + return KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN; + break; + case KRB5_KPASSWD_POLICY_REJECT: + return KRB5KDC_ERR_POLICY; + break; + default: + return KRB5KRB_ERR_GENERIC; + break; + } + } +} + +static ADS_STATUS do_krb5_kpasswd_request(krb5_context context, + const char *kdc_host, + uint16 pversion, + krb5_creds *credsp, + const char *princ, + const char *newpw) +{ + krb5_auth_context auth_context = NULL; + krb5_data ap_req, chpw_req, chpw_rep; + int ret, sock, addr_len; + struct sockaddr remote_addr, local_addr; + krb5_address local_kaddr, remote_kaddr; + + ret = krb5_mk_req_extended(context, &auth_context, AP_OPTS_USE_SUBKEY, + NULL, credsp, &ap_req); + if (ret) { + DEBUG(1,("krb5_mk_req_extended failed (%s)\n", error_message(ret))); + return ADS_ERROR_KRB5(ret); + } + + sock = open_udp_socket(kdc_host, DEFAULT_KPASSWD_PORT); + if (sock == -1) { + int rc = errno; + free(ap_req.data); + krb5_auth_con_free(context, auth_context); + DEBUG(1,("failed to open kpasswd socket to %s (%s)\n", + kdc_host, strerror(errno))); + return ADS_ERROR_SYSTEM(rc); + } + + addr_len = sizeof(remote_addr); + getpeername(sock, &remote_addr, &addr_len); + addr_len = sizeof(local_addr); + getsockname(sock, &local_addr, &addr_len); + + setup_kaddr(&remote_kaddr, &remote_addr); + setup_kaddr(&local_kaddr, &local_addr); + + ret = krb5_auth_con_setaddrs(context, auth_context, &local_kaddr, NULL); + if (ret) { + close(sock); + free(ap_req.data); + krb5_auth_con_free(context, auth_context); + DEBUG(1,("krb5_auth_con_setaddrs failed (%s)\n", error_message(ret))); + return ADS_ERROR_KRB5(ret); + } + + ret = build_kpasswd_request(pversion, context, auth_context, &ap_req, + princ, newpw, &chpw_req); + if (ret) { + close(sock); + free(ap_req.data); + krb5_auth_con_free(context, auth_context); + DEBUG(1,("build_setpw_request failed (%s)\n", error_message(ret))); + return ADS_ERROR_KRB5(ret); + } + + if (write(sock, chpw_req.data, chpw_req.length) != chpw_req.length) { + close(sock); + free(chpw_req.data); + free(ap_req.data); + krb5_auth_con_free(context, auth_context); + DEBUG(1,("send of chpw failed (%s)\n", strerror(errno))); + return ADS_ERROR_SYSTEM(errno); + } + + free(chpw_req.data); + + chpw_rep.length = 1500; + chpw_rep.data = (char *) malloc(chpw_rep.length); + if (!chpw_rep.data) { + close(sock); + free(ap_req.data); + krb5_auth_con_free(context, auth_context); + DEBUG(1,("send of chpw failed (%s)\n", strerror(errno))); + errno = ENOMEM; + return ADS_ERROR_SYSTEM(errno); + } + + ret = read(sock, chpw_rep.data, chpw_rep.length); + if (ret < 0) { + close(sock); + free(chpw_rep.data); + free(ap_req.data); + krb5_auth_con_free(context, auth_context); + DEBUG(1,("recv of chpw reply failed (%s)\n", strerror(errno))); + return ADS_ERROR_SYSTEM(errno); + } + + close(sock); + chpw_rep.length = ret; + + ret = krb5_auth_con_setaddrs(context, auth_context, NULL,&remote_kaddr); + if (ret) { + free(chpw_rep.data); + free(ap_req.data); + krb5_auth_con_free(context, auth_context); + DEBUG(1,("krb5_auth_con_setaddrs on reply failed (%s)\n", + error_message(ret))); + return ADS_ERROR_KRB5(ret); + } + + ret = parse_setpw_reply(context, auth_context, &chpw_rep); + free(chpw_rep.data); + + if (ret) { + free(ap_req.data); + krb5_auth_con_free(context, auth_context); + DEBUG(1,("parse_setpw_reply failed (%s)\n", + error_message(ret))); + return ADS_ERROR_KRB5(ret); + } + + free(ap_req.data); + krb5_auth_con_free(context, auth_context); + + return ADS_SUCCESS; +} + +ADS_STATUS krb5_set_password(const char *kdc_host, const char *princ, const char *newpw, + int time_offset) +{ + + ADS_STATUS aret; + krb5_error_code ret; + krb5_context context; + krb5_principal principal; + char *princ_name; + char *realm; + krb5_creds creds, *credsp; + krb5_ccache ccache; + + ret = krb5_init_context(&context); + if (ret) { + DEBUG(1,("Failed to init krb5 context (%s)\n", error_message(ret))); + return ADS_ERROR_KRB5(ret); + } + + if (time_offset != 0) { + krb5_set_real_time(context, time(NULL) + time_offset, 0); + } + + ret = krb5_cc_default(context, &ccache); + if (ret) { + krb5_free_context(context); + DEBUG(1,("Failed to get default creds (%s)\n", error_message(ret))); + return ADS_ERROR_KRB5(ret); + } + + ZERO_STRUCT(creds); + + realm = strchr(princ, '@'); + realm++; + + asprintf(&princ_name, "kadmin/changepw@%s", realm); + ret = krb5_parse_name(context, princ_name, &creds.server); + if (ret) { + krb5_free_context(context); + DEBUG(1,("Failed to parse kadmin/changepw (%s)\n", error_message(ret))); + return ADS_ERROR_KRB5(ret); + } + free(princ_name); + + /* parse the principal we got as a function argument */ + ret = krb5_parse_name(context, princ, &principal); + if (ret) { + krb5_free_context(context); + DEBUG(1,("Failed to parse %s (%s)\n", princ_name, error_message(ret))); + return ADS_ERROR_KRB5(ret); + } + + krb5_princ_set_realm(context, creds.server, + krb5_princ_realm(context, principal)); + + ret = krb5_cc_get_principal(context, ccache, &creds.client); + if (ret) { + krb5_free_principal(context, principal); + krb5_free_context(context); + DEBUG(1,("Failed to get principal from ccache (%s)\n", + error_message(ret))); + return ADS_ERROR_KRB5(ret); + } + + ret = krb5_get_credentials(context, 0, ccache, &creds, &credsp); + if (ret) { + krb5_free_principal(context, creds.client); + krb5_free_principal(context, principal); + krb5_free_context(context); + DEBUG(1,("krb5_get_credentials failed (%s)\n", error_message(ret))); + return ADS_ERROR_KRB5(ret); + } + + /* we might have to call krb5_free_creds(...) from now on ... */ + + aret = do_krb5_kpasswd_request(context, kdc_host, + KRB5_KPASSWD_VERS_SETPW_MS, + credsp, princ, newpw); + + krb5_free_creds(context, credsp); + krb5_free_principal(context, creds.client); + krb5_free_principal(context, creds.server); + krb5_free_principal(context, principal); + krb5_free_context(context); + + return aret; +} + +/* + we use a prompter to avoid a crash bug in the kerberos libs when + dealing with empty passwords + this prompter is just a string copy ... +*/ +static krb5_error_code +kerb_prompter(krb5_context ctx, void *data, + const char *name, + const char *banner, + int num_prompts, + krb5_prompt prompts[]) +{ + if (num_prompts == 0) return 0; + + memset(prompts[0].reply->data, 0, prompts[0].reply->length); + if (prompts[0].reply->length > 0) { + if (data) { + strncpy(prompts[0].reply->data, data, prompts[0].reply->length-1); + prompts[0].reply->length = strlen(prompts[0].reply->data); + } else { + prompts[0].reply->length = 0; + } + } + return 0; +} + +ADS_STATUS krb5_chg_password(const char *kdc_host, + const char *principal, + const char *oldpw, + const char *newpw, + int time_offset) +{ + ADS_STATUS aret; + krb5_error_code ret; + krb5_context context; + krb5_principal princ; + krb5_get_init_creds_opt opts; + krb5_creds creds; + char *chpw_princ = NULL, *password; + + ret = krb5_init_context(&context); + if (ret) { + DEBUG(1,("Failed to init krb5 context (%s)\n", error_message(ret))); + return ADS_ERROR_KRB5(ret); + } + + if ((ret = krb5_parse_name(context, principal, + &princ))) { + krb5_free_context(context); + DEBUG(1,("Failed to parse %s (%s)\n", principal, error_message(ret))); + return ADS_ERROR_KRB5(ret); + } + + krb5_get_init_creds_opt_init(&opts); + krb5_get_init_creds_opt_set_tkt_life(&opts, 5*60); + krb5_get_init_creds_opt_set_renew_life(&opts, 0); + krb5_get_init_creds_opt_set_forwardable(&opts, 0); + krb5_get_init_creds_opt_set_proxiable(&opts, 0); + + /* We have to obtain an INITIAL changepw ticket for changing password */ + asprintf(&chpw_princ, "kadmin/changepw@%s", + (char *) krb5_princ_realm(context, princ)); + password = strdup(oldpw); + ret = krb5_get_init_creds_password(context, &creds, princ, password, + kerb_prompter, NULL, + 0, chpw_princ, &opts); + SAFE_FREE(chpw_princ); + SAFE_FREE(password); + + if (ret) { + if (ret == KRB5KRB_AP_ERR_BAD_INTEGRITY) + DEBUG(1,("Password incorrect while getting initial ticket")); + else + DEBUG(1,("krb5_get_init_creds_password failed (%s)\n", error_message(ret))); + + krb5_free_principal(context, princ); + krb5_free_context(context); + return ADS_ERROR_KRB5(ret); + } + + aret = do_krb5_kpasswd_request(context, kdc_host, + KRB5_KPASSWD_VERS_CHANGEPW, + &creds, principal, newpw); + + krb5_free_principal(context, princ); + krb5_free_context(context); + + return aret; +} + + +ADS_STATUS kerberos_set_password(const char *kpasswd_server, + const char *auth_principal, const char *auth_password, + const char *target_principal, const char *new_password, + int time_offset) +{ + int ret; + + if ((ret = kerberos_kinit_password(auth_principal, auth_password, time_offset))) { + DEBUG(1,("Failed kinit for principal %s (%s)\n", auth_principal, error_message(ret))); + return ADS_ERROR_KRB5(ret); + } + + if (!strcmp(auth_principal, target_principal)) + return krb5_chg_password(kpasswd_server, target_principal, + auth_password, new_password, time_offset); + else + return krb5_set_password(kpasswd_server, target_principal, + new_password, time_offset); +} + + +/** + * Set the machine account password + * @param ads connection to ads server + * @param hostname machine whose password is being set + * @param password new password + * @return status of password change + **/ +ADS_STATUS ads_set_machine_password(ADS_STRUCT *ads, + const char *hostname, + const char *password) +{ + ADS_STATUS status; + char *host = strdup(hostname); + char *principal; + + strlower(host); + + /* + we need to use the '$' form of the name here, as otherwise the + server might end up setting the password for a user instead + */ + asprintf(&principal, "%s$@%s", host, ads->auth.realm); + + status = krb5_set_password(ads->auth.kdc_server, principal, password, ads->auth.time_offset); + + free(host); + free(principal); + + return status; +} + + + +#endif diff --git a/source4/libads/ldap.c b/source4/libads/ldap.c new file mode 100644 index 0000000000..0bcd76cb9f --- /dev/null +++ b/source4/libads/ldap.c @@ -0,0 +1,2098 @@ +/* + Unix SMB/CIFS implementation. + ads (active directory) utility library + Copyright (C) Andrew Tridgell 2001 + Copyright (C) Remus Koos 2001 + Copyright (C) Jim McDonough 2002 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +*/ + +#include "includes.h" + +#ifdef HAVE_LDAP + +/** + * @file ldap.c + * @brief basic ldap client-side routines for ads server communications + * + * The routines contained here should do the necessary ldap calls for + * ads setups. + * + * Important note: attribute names passed into ads_ routines must + * already be in UTF-8 format. We do not convert them because in almost + * all cases, they are just ascii (which is represented with the same + * codepoints in UTF-8). This may have to change at some point + **/ + + +/* + try a connection to a given ldap server, returning True and setting the servers IP + in the ads struct if successful + */ +static BOOL ads_try_connect(ADS_STRUCT *ads, const char *server, unsigned port) +{ + char *srv; + + if (!server || !*server) { + return False; + } + + DEBUG(5,("ads_try_connect: trying ldap server '%s' port %u\n", server, port)); + + /* this copes with inet_ntoa brokenness */ + srv = strdup(server); + + ads->ld = ldap_open(srv, port); + if (!ads->ld) { + free(srv); + return False; + } + ads->ldap_port = port; + ads->ldap_ip = *interpret_addr2(srv); + free(srv); + + return True; +} + +/* + try a connection to a given ldap server, based on URL, returning True if successful + */ +static BOOL ads_try_connect_uri(ADS_STRUCT *ads) +{ +#if defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000) + DEBUG(5,("ads_try_connect: trying ldap server at URI '%s'\n", + ads->server.ldap_uri)); + + + if (ldap_initialize((LDAP**)&(ads->ld), ads->server.ldap_uri) == LDAP_SUCCESS) { + return True; + } + DEBUG(0, ("ldap_initialize: %s\n", strerror(errno))); + +#else + + DEBUG(1, ("no URL support in LDAP libs!\n")); +#endif + + return False; +} + +/* used by the IP comparison function */ +struct ldap_ip { + struct in_addr ip; + unsigned port; +}; + +/* compare 2 ldap IPs by nearness to our interfaces - used in qsort */ +static int ldap_ip_compare(struct ldap_ip *ip1, struct ldap_ip *ip2) +{ + return ip_compare(&ip1->ip, &ip2->ip); +} + +/* try connecting to a ldap server via DNS */ +static BOOL ads_try_dns(ADS_STRUCT *ads) +{ + const char *c_realm; + const char *ptr; + char *realm; + char *list = NULL; + pstring tok; + struct ldap_ip *ip_list; + int count, i=0; + + c_realm = ads->server.realm; + if (!c_realm || !*c_realm) { + c_realm = lp_realm(); + } + if (!c_realm || !*c_realm) { + c_realm = ads->server.workgroup; + } + if (!c_realm || !*c_realm) { + c_realm = lp_workgroup(); + } + if (!c_realm) { + return False; + } + realm = smb_xstrdup(c_realm); + + DEBUG(6,("ads_try_dns: looking for realm '%s'\n", realm)); + if (ldap_domain2hostlist(realm, &list) != LDAP_SUCCESS) { + SAFE_FREE(realm); + return False; + } + + DEBUG(6,("ads_try_dns: ldap realm '%s' host list '%s'\n", realm, list)); + SAFE_FREE(realm); + + count = count_chars(list, ' ') + 1; + ip_list = malloc(count * sizeof(struct ldap_ip)); + if (!ip_list) { + return False; + } + + ptr = list; + while (next_token(&ptr, tok, " ", sizeof(tok))) { + unsigned port = LDAP_PORT; + char *p = strchr(tok, ':'); + if (p) { + *p = 0; + port = atoi(p+1); + } + ip_list[i].ip = *interpret_addr2(tok); + ip_list[i].port = port; + if (!is_zero_ip(ip_list[i].ip)) { + i++; + } + } + free(list); + + count = i; + + /* we sort the list of addresses by closeness to our interfaces. This + tries to prevent us using a DC on the other side of the country */ + if (count > 1) { + qsort(ip_list, count, sizeof(struct ldap_ip), + QSORT_CAST ldap_ip_compare); + } + + for (i=0;iserver.workgroup; + BOOL list_ordered; + + if (!workgroup) { + workgroup = lp_workgroup(); + } + + DEBUG(6,("ads_try_netbios: looking for workgroup '%s'\n", workgroup)); + + /* try the PDC first */ + if (get_pdc_ip(workgroup, &pdc_ip)) { + DEBUG(6,("ads_try_netbios: trying server '%s'\n", + inet_ntoa(pdc_ip))); + if (ads_try_connect(ads, inet_ntoa(pdc_ip), LDAP_PORT)) + return True; + } + + /* now any DC, including backups */ + if (get_dc_list(workgroup, &ip_list, &count, &list_ordered)) { + for (i=0;ilast_attempt = time(NULL); + ads->ld = NULL; + + /* try with a URL based server */ + + if (ads->server.ldap_uri && + ads_try_connect_uri(ads)) { + goto got_connection; + } + + /* try with a user specified server */ + if (ads->server.ldap_server && + ads_try_connect(ads, ads->server.ldap_server, LDAP_PORT)) { + goto got_connection; + } + + /* try with a smb.conf ads server setting if we are connecting + to the primary workgroup or realm */ + if (!ads->server.foreign && + ads_try_connect(ads, lp_ads_server(), LDAP_PORT)) { + goto got_connection; + } + + /* try via DNS */ + if (ads_try_dns(ads)) { + goto got_connection; + } + + /* try via netbios lookups */ + if (!lp_disable_netbios() && ads_try_netbios(ads)) { + goto got_connection; + } + + return ADS_ERROR_SYSTEM(errno?errno:ENOENT); + +got_connection: + DEBUG(3,("Connected to LDAP server %s\n", inet_ntoa(ads->ldap_ip))); + + status = ads_server_info(ads); + if (!ADS_ERR_OK(status)) { + DEBUG(1,("Failed to get ldap server info\n")); + return status; + } + + ldap_set_option(ads->ld, LDAP_OPT_PROTOCOL_VERSION, &version); + + if (!ads->auth.user_name) { + /* by default use the machine account */ + fstring myname; + fstrcpy(myname, lp_netbios_name()); + strlower(myname); + asprintf(&ads->auth.user_name, "HOST/%s", myname); + } + + if (!ads->auth.realm) { + ads->auth.realm = strdup(ads->config.realm); + } + + if (!ads->auth.kdc_server) { + ads->auth.kdc_server = strdup(inet_ntoa(ads->ldap_ip)); + } + +#if KRB5_DNS_HACK + /* this is a really nasty hack to avoid ADS DNS problems. It needs a patch + to MIT kerberos to work (tridge) */ + { + char *env; + asprintf(&env, "KRB5_KDC_ADDRESS_%s", ads->config.realm); + setenv(env, ads->auth.kdc_server, 1); + free(env); + } +#endif + + if (ads->auth.flags & ADS_AUTH_NO_BIND) { + return ADS_SUCCESS; + } + + if (ads->auth.flags & ADS_AUTH_ANON_BIND) { + return ADS_ERROR(ldap_simple_bind_s( ads->ld, NULL, NULL)); + } + + if (ads->auth.flags & ADS_AUTH_SIMPLE_BIND) { + return ADS_ERROR(ldap_simple_bind_s( ads->ld, ads->auth.user_name, ads->auth.password)); + } + + return ads_sasl_bind(ads); +} + +/* + Duplicate a struct berval into talloc'ed memory + */ +static struct berval *dup_berval(TALLOC_CTX *ctx, const struct berval *in_val) +{ + struct berval *value; + + if (!in_val) return NULL; + + value = talloc_zero(ctx, sizeof(struct berval)); + if (value == NULL) + return NULL; + if (in_val->bv_len == 0) return value; + + value->bv_len = in_val->bv_len; + value->bv_val = talloc_memdup(ctx, in_val->bv_val, in_val->bv_len); + return value; +} + +/* + Make a values list out of an array of (struct berval *) + */ +static struct berval **ads_dup_values(TALLOC_CTX *ctx, + const struct berval **in_vals) +{ + struct berval **values; + int i; + + if (!in_vals) return NULL; + for (i=0; in_vals[i]; i++); /* count values */ + values = (struct berval **) talloc_zero(ctx, + (i+1)*sizeof(struct berval *)); + if (!values) return NULL; + + for (i=0; in_vals[i]; i++) { + values[i] = dup_berval(ctx, in_vals[i]); + } + return values; +} + +/* + UTF8-encode a values list out of an array of (char *) + */ +static char **ads_push_strvals(TALLOC_CTX *ctx, const char **in_vals) +{ + char **values; + int i; + + if (!in_vals) return NULL; + for (i=0; in_vals[i]; i++); /* count values */ + values = (char ** ) talloc_zero(ctx, (i+1)*sizeof(char *)); + if (!values) return NULL; + + for (i=0; in_vals[i]; i++) { + push_utf8_talloc(ctx, &values[i], in_vals[i]); + } + return values; +} + +/* + Pull a (char *) array out of a UTF8-encoded values list + */ +static char **ads_pull_strvals(TALLOC_CTX *ctx, const char **in_vals) +{ + char **values; + int i; + + if (!in_vals) return NULL; + for (i=0; in_vals[i]; i++); /* count values */ + values = (char **) talloc_zero(ctx, (i+1)*sizeof(char *)); + if (!values) return NULL; + + for (i=0; in_vals[i]; i++) { + pull_utf8_talloc(ctx, &values[i], in_vals[i]); + } + return values; +} + +/** + * Do a search with paged results. cookie must be null on the first + * call, and then returned on each subsequent call. It will be null + * again when the entire search is complete + * @param ads connection to ads server + * @param bind_path Base dn for the search + * @param scope Scope of search (LDAP_BASE | LDAP_ONE | LDAP_SUBTREE) + * @param exp Search expression - specified in local charset + * @param attrs Attributes to retrieve - specified in utf8 or ascii + * @param res ** which will contain results - free res* with ads_msgfree() + * @param count Number of entries retrieved on this page + * @param cookie The paged results cookie to be returned on subsequent calls + * @return status of search + **/ +ADS_STATUS ads_do_paged_search(ADS_STRUCT *ads, const char *bind_path, + int scope, const char *exp, + const char **attrs, void **res, + int *count, void **cookie) +{ + int rc, i, version; + char *utf8_exp, *utf8_path, **search_attrs; + LDAPControl PagedResults, NoReferrals, *controls[3], **rcontrols; + BerElement *cookie_be = NULL; + struct berval *cookie_bv= NULL; + TALLOC_CTX *ctx; + + *res = NULL; + + if (!(ctx = talloc_init("ads_do_paged_search"))) + return ADS_ERROR(LDAP_NO_MEMORY); + + /* 0 means the conversion worked but the result was empty + so we only fail if it's -1. In any case, it always + at least nulls out the dest */ + if ((push_utf8_talloc(ctx, &utf8_exp, exp) == (size_t)-1) || + (push_utf8_talloc(ctx, &utf8_path, bind_path) == (size_t)-1)) { + rc = LDAP_NO_MEMORY; + goto done; + } + + if (!attrs || !(*attrs)) + search_attrs = NULL; + else { + /* This would be the utf8-encoded version...*/ + /* if (!(search_attrs = ads_push_strvals(ctx, attrs))) */ + if (!(str_list_copy(&search_attrs, attrs))) { + rc = LDAP_NO_MEMORY; + goto done; + } + } + + + /* Paged results only available on ldap v3 or later */ + ldap_get_option(ads->ld, LDAP_OPT_PROTOCOL_VERSION, &version); + if (version < LDAP_VERSION3) { + rc = LDAP_NOT_SUPPORTED; + goto done; + } + + cookie_be = ber_alloc_t(LBER_USE_DER); + if (cookie && *cookie) { + ber_printf(cookie_be, "{iO}", (ber_int_t) 1000, *cookie); + ber_bvfree(*cookie); /* don't need it from last time */ + *cookie = NULL; + } else { + ber_printf(cookie_be, "{io}", (ber_int_t) 1000, "", 0); + } + ber_flatten(cookie_be, &cookie_bv); + PagedResults.ldctl_oid = ADS_PAGE_CTL_OID; + PagedResults.ldctl_iscritical = (char) 1; + PagedResults.ldctl_value.bv_len = cookie_bv->bv_len; + PagedResults.ldctl_value.bv_val = cookie_bv->bv_val; + + NoReferrals.ldctl_oid = ADS_NO_REFERRALS_OID; + NoReferrals.ldctl_iscritical = (char) 0; + NoReferrals.ldctl_value.bv_len = 0; + NoReferrals.ldctl_value.bv_val = ""; + + + controls[0] = &NoReferrals; + controls[1] = &PagedResults; + controls[2] = NULL; + + *res = NULL; + + /* we need to disable referrals as the openldap libs don't + handle them and paged results at the same time. Using them + together results in the result record containing the server + page control being removed from the result list (tridge/jmcd) + + leaving this in despite the control that says don't generate + referrals, in case the server doesn't support it (jmcd) + */ + ldap_set_option(ads->ld, LDAP_OPT_REFERRALS, LDAP_OPT_OFF); + + rc = ldap_search_ext_s(ads->ld, utf8_path, scope, utf8_exp, + search_attrs, 0, controls, + NULL, NULL, LDAP_NO_LIMIT, (LDAPMessage **)res); + + ber_free(cookie_be, 1); + ber_bvfree(cookie_bv); + + if (rc) { + DEBUG(3,("ldap_search_ext_s(%s) -> %s\n", exp, ldap_err2string(rc))); + goto done; + } + + rc = ldap_parse_result(ads->ld, *res, NULL, NULL, NULL, + NULL, &rcontrols, 0); + + if (!rcontrols) { + goto done; + } + + for (i=0; rcontrols[i]; i++) { + if (strcmp(ADS_PAGE_CTL_OID, rcontrols[i]->ldctl_oid) == 0) { + cookie_be = ber_init(&rcontrols[i]->ldctl_value); + ber_scanf(cookie_be,"{iO}", (ber_int_t *) count, + &cookie_bv); + /* the berval is the cookie, but must be freed when + it is all done */ + if (cookie_bv->bv_len) /* still more to do */ + *cookie=ber_bvdup(cookie_bv); + else + *cookie=NULL; + ber_bvfree(cookie_bv); + ber_free(cookie_be, 1); + break; + } + } + ldap_controls_free(rcontrols); + +done: + talloc_destroy(ctx); + /* if/when we decide to utf8-encode attrs, take out this next line */ + str_list_free(&search_attrs); + + return ADS_ERROR(rc); +} + + +/** + * Get all results for a search. This uses ads_do_paged_search() to return + * all entries in a large search. + * @param ads connection to ads server + * @param bind_path Base dn for the search + * @param scope Scope of search (LDAP_BASE | LDAP_ONE | LDAP_SUBTREE) + * @param exp Search expression + * @param attrs Attributes to retrieve + * @param res ** which will contain results - free res* with ads_msgfree() + * @return status of search + **/ +ADS_STATUS ads_do_search_all(ADS_STRUCT *ads, const char *bind_path, + int scope, const char *exp, + const char **attrs, void **res) +{ + void *cookie = NULL; + int count = 0; + ADS_STATUS status; + + status = ads_do_paged_search(ads, bind_path, scope, exp, attrs, res, + &count, &cookie); + + if (!ADS_ERR_OK(status)) return status; + + while (cookie) { + void *res2 = NULL; + ADS_STATUS status2; + LDAPMessage *msg, *next; + + status2 = ads_do_paged_search(ads, bind_path, scope, exp, + attrs, &res2, &count, &cookie); + + if (!ADS_ERR_OK(status2)) break; + + /* this relies on the way that ldap_add_result_entry() works internally. I hope + that this works on all ldap libs, but I have only tested with openldap */ + for (msg = ads_first_entry(ads, res2); msg; msg = next) { + next = ads_next_entry(ads, msg); + ldap_add_result_entry((LDAPMessage **)res, msg); + } + /* note that we do not free res2, as the memory is now + part of the main returned list */ + } + + return status; +} + +/** + * Run a function on all results for a search. Uses ads_do_paged_search() and + * runs the function as each page is returned, using ads_process_results() + * @param ads connection to ads server + * @param bind_path Base dn for the search + * @param scope Scope of search (LDAP_BASE | LDAP_ONE | LDAP_SUBTREE) + * @param exp Search expression - specified in local charset + * @param attrs Attributes to retrieve - specified in UTF-8 or ascii + * @param fn Function which takes attr name, values list, and data_area + * @param data_area Pointer which is passed to function on each call + * @return status of search + **/ +ADS_STATUS ads_do_search_all_fn(ADS_STRUCT *ads, const char *bind_path, + int scope, const char *exp, const char **attrs, + BOOL(*fn)(char *, void **, void *), + void *data_area) +{ + void *cookie = NULL; + int count = 0; + ADS_STATUS status; + void *res; + + status = ads_do_paged_search(ads, bind_path, scope, exp, attrs, &res, + &count, &cookie); + + if (!ADS_ERR_OK(status)) return status; + + ads_process_results(ads, res, fn, data_area); + ads_msgfree(ads, res); + + while (cookie) { + status = ads_do_paged_search(ads, bind_path, scope, exp, attrs, + &res, &count, &cookie); + + if (!ADS_ERR_OK(status)) break; + + ads_process_results(ads, res, fn, data_area); + ads_msgfree(ads, res); + } + + return status; +} + +/** + * Do a search with a timeout. + * @param ads connection to ads server + * @param bind_path Base dn for the search + * @param scope Scope of search (LDAP_BASE | LDAP_ONE | LDAP_SUBTREE) + * @param exp Search expression + * @param attrs Attributes to retrieve + * @param res ** which will contain results - free res* with ads_msgfree() + * @return status of search + **/ +ADS_STATUS ads_do_search(ADS_STRUCT *ads, const char *bind_path, int scope, + const char *exp, + const char **attrs, void **res) +{ + struct timeval timeout; + int rc; + char *utf8_exp, *utf8_path, **search_attrs = NULL; + TALLOC_CTX *ctx; + + if (!(ctx = talloc_init("ads_do_search"))) { + DEBUG(1,("ads_do_search: talloc_init() failed!")); + return ADS_ERROR(LDAP_NO_MEMORY); + } + + /* 0 means the conversion worked but the result was empty + so we only fail if it's negative. In any case, it always + at least nulls out the dest */ + if ((push_utf8_talloc(ctx, &utf8_exp, exp) == (size_t)-1) || + (push_utf8_talloc(ctx, &utf8_path, bind_path) == (size_t)-1)) { + DEBUG(1,("ads_do_search: push_utf8_talloc() failed!")); + rc = LDAP_NO_MEMORY; + goto done; + } + + if (!attrs || !(*attrs)) + search_attrs = NULL; + else { + /* This would be the utf8-encoded version...*/ + /* if (!(search_attrs = ads_push_strvals(ctx, attrs))) */ + if (!(str_list_copy(&search_attrs, attrs))) + { + DEBUG(1,("ads_do_search: str_list_copy() failed!")); + rc = LDAP_NO_MEMORY; + goto done; + } + } + + timeout.tv_sec = ADS_SEARCH_TIMEOUT; + timeout.tv_usec = 0; + *res = NULL; + + /* see the note in ads_do_paged_search - we *must* disable referrals */ + ldap_set_option(ads->ld, LDAP_OPT_REFERRALS, LDAP_OPT_OFF); + + rc = ldap_search_ext_s(ads->ld, utf8_path, scope, utf8_exp, + search_attrs, 0, NULL, NULL, + &timeout, LDAP_NO_LIMIT, (LDAPMessage **)res); + + if (rc == LDAP_SIZELIMIT_EXCEEDED) { + DEBUG(3,("Warning! sizelimit exceeded in ldap. Truncating.\n")); + rc = 0; + } + + done: + talloc_destroy(ctx); + /* if/when we decide to utf8-encode attrs, take out this next line */ + str_list_free(&search_attrs); + return ADS_ERROR(rc); +} +/** + * Do a general ADS search + * @param ads connection to ads server + * @param res ** which will contain results - free res* with ads_msgfree() + * @param exp Search expression + * @param attrs Attributes to retrieve + * @return status of search + **/ +ADS_STATUS ads_search(ADS_STRUCT *ads, void **res, + const char *exp, + const char **attrs) +{ + return ads_do_search(ads, ads->config.bind_path, LDAP_SCOPE_SUBTREE, + exp, attrs, res); +} + +/** + * Do a search on a specific DistinguishedName + * @param ads connection to ads server + * @param res ** which will contain results - free res* with ads_msgfree() + * @param dn DistinguishName to search + * @param attrs Attributes to retrieve + * @return status of search + **/ +ADS_STATUS ads_search_dn(ADS_STRUCT *ads, void **res, + const char *dn, + const char **attrs) +{ + return ads_do_search(ads, dn, LDAP_SCOPE_BASE, "(objectclass=*)", attrs, res); +} + +/** + * Free up memory from a ads_search + * @param ads connection to ads server + * @param msg Search results to free + **/ +void ads_msgfree(ADS_STRUCT *ads, void *msg) +{ + if (!msg) return; + ldap_msgfree(msg); +} + +/** + * Free up memory from various ads requests + * @param ads connection to ads server + * @param mem Area to free + **/ +void ads_memfree(ADS_STRUCT *ads, void *mem) +{ + SAFE_FREE(mem); +} + +/** + * Get a dn from search results + * @param ads connection to ads server + * @param res Search results + * @return dn string + **/ +char *ads_get_dn(ADS_STRUCT *ads, void *res) +{ + char *utf8_dn, *unix_dn; + + utf8_dn = ldap_get_dn(ads->ld, res); + pull_utf8_allocate((void **) &unix_dn, utf8_dn); + ldap_memfree(utf8_dn); + return unix_dn; +} + +/** + * Find a machine account given a hostname + * @param ads connection to ads server + * @param res ** which will contain results - free res* with ads_msgfree() + * @param host Hostname to search for + * @return status of search + **/ +ADS_STATUS ads_find_machine_acct(ADS_STRUCT *ads, void **res, const char *host) +{ + ADS_STATUS status; + char *exp; + const char *attrs[] = {"*", "nTSecurityDescriptor", NULL}; + + /* the easiest way to find a machine account anywhere in the tree + is to look for hostname$ */ + if (asprintf(&exp, "(samAccountName=%s$)", host) == -1) { + DEBUG(1, ("asprintf failed!\n")); + return ADS_ERROR_NT(NT_STATUS_NO_MEMORY); + } + + status = ads_search(ads, res, exp, attrs); + free(exp); + return status; +} + +/** + * Initialize a list of mods to be used in a modify request + * @param ctx An initialized TALLOC_CTX + * @return allocated ADS_MODLIST + **/ +ADS_MODLIST ads_init_mods(TALLOC_CTX *ctx) +{ +#define ADS_MODLIST_ALLOC_SIZE 10 + LDAPMod **mods; + + if ((mods = (LDAPMod **) talloc_zero(ctx, sizeof(LDAPMod *) * + (ADS_MODLIST_ALLOC_SIZE + 1)))) + /* -1 is safety to make sure we don't go over the end. + need to reset it to NULL before doing ldap modify */ + mods[ADS_MODLIST_ALLOC_SIZE] = (LDAPMod *) -1; + + return mods; +} + + +/* + add an attribute to the list, with values list already constructed +*/ +static ADS_STATUS ads_modlist_add(TALLOC_CTX *ctx, ADS_MODLIST *mods, + int mod_op, const char *name, + const void **invals) +{ + int curmod; + LDAPMod **modlist = (LDAPMod **) *mods; + struct berval **ber_values = NULL; + char **char_values = NULL; + + if (!invals) { + mod_op = LDAP_MOD_DELETE; + } else { + if (mod_op & LDAP_MOD_BVALUES) + ber_values = ads_dup_values(ctx, + (const struct berval **)invals); + else + char_values = ads_push_strvals(ctx, + (const char **) invals); + } + + /* find the first empty slot */ + for (curmod=0; modlist[curmod] && modlist[curmod] != (LDAPMod *) -1; + curmod++); + if (modlist[curmod] == (LDAPMod *) -1) { + if (!(modlist = talloc_realloc(ctx, modlist, + (curmod+ADS_MODLIST_ALLOC_SIZE+1)*sizeof(LDAPMod *)))) + return ADS_ERROR(LDAP_NO_MEMORY); + memset(&modlist[curmod], 0, + ADS_MODLIST_ALLOC_SIZE*sizeof(LDAPMod *)); + modlist[curmod+ADS_MODLIST_ALLOC_SIZE] = (LDAPMod *) -1; + *mods = modlist; + } + + if (!(modlist[curmod] = talloc_zero(ctx, sizeof(LDAPMod)))) + return ADS_ERROR(LDAP_NO_MEMORY); + modlist[curmod]->mod_type = talloc_strdup(ctx, name); + if (mod_op & LDAP_MOD_BVALUES) { + modlist[curmod]->mod_bvalues = ber_values; + } else if (mod_op & LDAP_MOD_DELETE) { + modlist[curmod]->mod_values = NULL; + } else { + modlist[curmod]->mod_values = char_values; + } + + modlist[curmod]->mod_op = mod_op; + return ADS_ERROR(LDAP_SUCCESS); +} + +/** + * Add a single string value to a mod list + * @param ctx An initialized TALLOC_CTX + * @param mods An initialized ADS_MODLIST + * @param name The attribute name to add + * @param val The value to add - NULL means DELETE + * @return ADS STATUS indicating success of add + **/ +ADS_STATUS ads_mod_str(TALLOC_CTX *ctx, ADS_MODLIST *mods, + const char *name, const char *val) +{ + const char *values[2]; + + values[0] = val; + values[1] = NULL; + + if (!val) + return ads_modlist_add(ctx, mods, LDAP_MOD_DELETE, name, NULL); + return ads_modlist_add(ctx, mods, LDAP_MOD_REPLACE, name, + (const void **) values); +} + +/** + * Add an array of string values to a mod list + * @param ctx An initialized TALLOC_CTX + * @param mods An initialized ADS_MODLIST + * @param name The attribute name to add + * @param vals The array of string values to add - NULL means DELETE + * @return ADS STATUS indicating success of add + **/ +ADS_STATUS ads_mod_strlist(TALLOC_CTX *ctx, ADS_MODLIST *mods, + const char *name, const char **vals) +{ + if (!vals) + return ads_modlist_add(ctx, mods, LDAP_MOD_DELETE, name, NULL); + return ads_modlist_add(ctx, mods, LDAP_MOD_REPLACE, + name, (const void **) vals); +} + +/** + * Add a single ber-encoded value to a mod list + * @param ctx An initialized TALLOC_CTX + * @param mods An initialized ADS_MODLIST + * @param name The attribute name to add + * @param val The value to add - NULL means DELETE + * @return ADS STATUS indicating success of add + **/ +static ADS_STATUS ads_mod_ber(TALLOC_CTX *ctx, ADS_MODLIST *mods, + const char *name, const struct berval *val) +{ + const struct berval *values[2]; + + values[0] = val; + values[1] = NULL; + if (!val) + return ads_modlist_add(ctx, mods, LDAP_MOD_DELETE, name, NULL); + return ads_modlist_add(ctx, mods, LDAP_MOD_REPLACE|LDAP_MOD_BVALUES, + name, (const void **) values); +} + +/** + * Perform an ldap modify + * @param ads connection to ads server + * @param mod_dn DistinguishedName to modify + * @param mods list of modifications to perform + * @return status of modify + **/ +ADS_STATUS ads_gen_mod(ADS_STRUCT *ads, const char *mod_dn, ADS_MODLIST mods) +{ + int ret,i; + char *utf8_dn = NULL; + /* + this control is needed to modify that contains a currently + non-existent attribute (but allowable for the object) to run + */ + LDAPControl PermitModify = { + ADS_PERMIT_MODIFY_OID, + {0, NULL}, + (char) 1}; + LDAPControl *controls[2]; + + controls[0] = &PermitModify; + controls[1] = NULL; + + if (push_utf8_allocate(&utf8_dn, mod_dn) == -1) { + return ADS_ERROR_NT(NT_STATUS_NO_MEMORY); + } + + /* find the end of the list, marked by NULL or -1 */ + for(i=0;(mods[i]!=0)&&(mods[i]!=(LDAPMod *) -1);i++); + /* make sure the end of the list is NULL */ + mods[i] = NULL; + ret = ldap_modify_ext_s(ads->ld, utf8_dn, + (LDAPMod **) mods, controls, NULL); + SAFE_FREE(utf8_dn); + return ADS_ERROR(ret); +} + +/** + * Perform an ldap add + * @param ads connection to ads server + * @param new_dn DistinguishedName to add + * @param mods list of attributes and values for DN + * @return status of add + **/ +ADS_STATUS ads_gen_add(ADS_STRUCT *ads, const char *new_dn, ADS_MODLIST mods) +{ + int ret, i; + char *utf8_dn = NULL; + + if (push_utf8_allocate(&utf8_dn, new_dn) == -1) { + DEBUG(1, ("ads_gen_add: push_utf8_allocate failed!")); + return ADS_ERROR_NT(NT_STATUS_NO_MEMORY); + } + + /* find the end of the list, marked by NULL or -1 */ + for(i=0;(mods[i]!=0)&&(mods[i]!=(LDAPMod *) -1);i++); + /* make sure the end of the list is NULL */ + mods[i] = NULL; + + ret = ldap_add_s(ads->ld, utf8_dn, mods); + SAFE_FREE(utf8_dn); + return ADS_ERROR(ret); +} + +/** + * Delete a DistinguishedName + * @param ads connection to ads server + * @param new_dn DistinguishedName to delete + * @return status of delete + **/ +ADS_STATUS ads_del_dn(ADS_STRUCT *ads, char *del_dn) +{ + int ret; + char *utf8_dn = NULL; + if (push_utf8_allocate(&utf8_dn, del_dn) == -1) { + DEBUG(1, ("ads_del_dn: push_utf8_allocate failed!")); + return ADS_ERROR_NT(NT_STATUS_NO_MEMORY); + } + + ret = ldap_delete(ads->ld, utf8_dn); + return ADS_ERROR(ret); +} + +/** + * Build an org unit string + * if org unit is Computers or blank then assume a container, otherwise + * assume a \ separated list of organisational units + * @param org_unit Organizational unit + * @return org unit string - caller must free + **/ +char *ads_ou_string(const char *org_unit) +{ + if (!org_unit || !*org_unit || strcasecmp(org_unit, "Computers") == 0) { + return strdup("cn=Computers"); + } + + return ads_build_path(org_unit, "\\/", "ou=", 1); +} + + + +/* + add a machine account to the ADS server +*/ +static ADS_STATUS ads_add_machine_acct(ADS_STRUCT *ads, const char *hostname, + const char *org_unit) +{ + ADS_STATUS ret, status; + char *host_spn, *host_upn, *new_dn, *samAccountName, *controlstr; + char *ou_str; + TALLOC_CTX *ctx; + ADS_MODLIST mods; + const char *objectClass[] = {"top", "person", "organizationalPerson", + "user", "computer", NULL}; + const char *servicePrincipalName[5] = {NULL, NULL, NULL, NULL, NULL}; + char *psp, *psp2; + unsigned acct_control; + + if (!(ctx = talloc_init("machine_account"))) + return ADS_ERROR(LDAP_NO_MEMORY); + + ret = ADS_ERROR(LDAP_NO_MEMORY); + + if (!(host_spn = talloc_asprintf(ctx, "HOST/%s", hostname))) + goto done; + if (!(host_upn = talloc_asprintf(ctx, "%s@%s", host_spn, ads->config.realm))) + goto done; + ou_str = ads_ou_string(org_unit); + if (!ou_str) { + DEBUG(1, ("ads_ou_string returned NULL (malloc failure?)\n")); + goto done; + } + new_dn = talloc_asprintf(ctx, "cn=%s,%s,%s", hostname, ou_str, + ads->config.bind_path); + servicePrincipalName[0] = talloc_asprintf(ctx, "HOST/%s", hostname); + psp = talloc_asprintf(ctx, "HOST/%s.%s", + hostname, + ads->config.realm); + strlower(&psp[5]); + servicePrincipalName[1] = psp; + servicePrincipalName[2] = talloc_asprintf(ctx, "CIFS/%s", hostname); + psp2 = talloc_asprintf(ctx, "CIFS/%s.%s", + hostname, + ads->config.realm); + strlower(&psp2[5]); + servicePrincipalName[3] = psp2; + + free(ou_str); + if (!new_dn) + goto done; + + if (!(samAccountName = talloc_asprintf(ctx, "%s$", hostname))) + goto done; + + acct_control = UF_WORKSTATION_TRUST_ACCOUNT | UF_DONT_EXPIRE_PASSWD; +#ifndef ENCTYPE_ARCFOUR_HMAC + acct_control |= UF_USE_DES_KEY_ONLY; +#endif + if (!(controlstr = talloc_asprintf(ctx, "%u", acct_control))) + goto done; + + if (!(mods = ads_init_mods(ctx))) + goto done; + + ads_mod_str(ctx, &mods, "cn", hostname); + ads_mod_str(ctx, &mods, "sAMAccountName", samAccountName); + ads_mod_strlist(ctx, &mods, "objectClass", objectClass); + ads_mod_str(ctx, &mods, "userPrincipalName", host_upn); + ads_mod_strlist(ctx, &mods, "servicePrincipalName", servicePrincipalName); + ads_mod_str(ctx, &mods, "dNSHostName", hostname); + ads_mod_str(ctx, &mods, "userAccountControl", controlstr); + ads_mod_str(ctx, &mods, "operatingSystem", "Samba"); + ads_mod_str(ctx, &mods, "operatingSystemVersion", VERSION); + + ret = ads_gen_add(ads, new_dn, mods); + + if (!ADS_ERR_OK(ret)) + goto done; + + /* Do not fail if we can't set security descriptor + * it shouldn't be mandatory and probably we just + * don't have enough rights to do it. + */ + status = ads_set_machine_sd(ads, hostname, new_dn); + + if (!ADS_ERR_OK(status)) { + DEBUG(0, ("Warning: ads_set_machine_sd: %s\n", + ads_errstr(status))); + } +done: + talloc_destroy(ctx); + return ret; +} + +/* + dump a binary result from ldap +*/ +static void dump_binary(const char *field, struct berval **values) +{ + int i, j; + for (i=0; values[i]; i++) { + printf("%s: ", field); + for (j=0; jbv_len; j++) { + printf("%02X", (unsigned char)values[i]->bv_val[j]); + } + printf("\n"); + } +} + +struct uuid { + uint32 i1; + uint16 i2; + uint16 i3; + uint8 s[8]; +}; + +static void dump_guid(const char *field, struct berval **values) +{ + int i; + GUID guid; + TALLOC_CTX *mem_ctx; + mem_ctx = talloc_init("dump_guid"); + if (!mem_ctx) return; + for (i=0; values[i]; i++) { + memcpy(guid.info, values[i]->bv_val, sizeof(guid.info)); + printf("%s: %s\n", field, uuid_string(mem_ctx, guid)); + } + talloc_destroy(mem_ctx); +} + +/* + dump a sid result from ldap +*/ +static void dump_sid(const char *field, struct berval **values) +{ + int i; + for (i=0; values[i]; i++) { + DOM_SID sid; + sid_parse(values[i]->bv_val, values[i]->bv_len, &sid); + printf("%s: %s\n", field, sid_string_static(&sid)); + } +} + +/* + dump ntSecurityDescriptor +*/ +static void dump_sd(const char *filed, struct berval **values) +{ + prs_struct ps; + + SEC_DESC *psd = 0; + TALLOC_CTX *ctx = 0; + + if (!(ctx = talloc_init("sec_io_desc"))) + return; + + /* prepare data */ + prs_init(&ps, values[0]->bv_len, ctx, UNMARSHALL); + prs_copy_data_in(&ps, values[0]->bv_val, values[0]->bv_len); + prs_set_offset(&ps,0); + + /* parse secdesc */ + if (!sec_io_desc("sd", &psd, &ps, 1)) { + prs_mem_free(&ps); + talloc_destroy(ctx); + return; + } + if (psd) ads_disp_sd(psd); + + prs_mem_free(&ps); + talloc_destroy(ctx); +} + +/* + dump a string result from ldap +*/ +static void dump_string(const char *field, char **values) +{ + int i; + for (i=0; values[i]; i++) { + printf("%s: %s\n", field, values[i]); + } +} + +/* + dump a field from LDAP on stdout + used for debugging +*/ + +static BOOL ads_dump_field(char *field, void **values, void *data_area) +{ + const struct { + const char *name; + BOOL string; + void (*handler)(const char *, struct berval **); + } handlers[] = { + {"objectGUID", False, dump_guid}, + {"nTSecurityDescriptor", False, dump_sd}, + {"dnsRecord", False, dump_binary}, + {"objectSid", False, dump_sid}, + {"tokenGroups", False, dump_sid}, + {NULL, True, NULL} + }; + int i; + + if (!field) { /* must be end of an entry */ + printf("\n"); + return False; + } + + for (i=0; handlers[i].name; i++) { + if (StrCaseCmp(handlers[i].name, field) == 0) { + if (!values) /* first time, indicate string or not */ + return handlers[i].string; + handlers[i].handler(field, (struct berval **) values); + break; + } + } + if (!handlers[i].name) { + if (!values) /* first time, indicate string conversion */ + return True; + dump_string(field, (char **)values); + } + return False; +} + +/** + * Dump a result from LDAP on stdout + * used for debugging + * @param ads connection to ads server + * @param res Results to dump + **/ + +void ads_dump(ADS_STRUCT *ads, void *res) +{ + ads_process_results(ads, res, ads_dump_field, NULL); +} + +/** + * Walk through results, calling a function for each entry found. + * The function receives a field name, a berval * array of values, + * and a data area passed through from the start. The function is + * called once with null for field and values at the end of each + * entry. + * @param ads connection to ads server + * @param res Results to process + * @param fn Function for processing each result + * @param data_area user-defined area to pass to function + **/ +void ads_process_results(ADS_STRUCT *ads, void *res, + BOOL(*fn)(char *, void **, void *), + void *data_area) +{ + void *msg; + TALLOC_CTX *ctx; + + if (!(ctx = talloc_init("ads_process_results"))) + return; + + for (msg = ads_first_entry(ads, res); msg; + msg = ads_next_entry(ads, msg)) { + char *utf8_field; + BerElement *b; + + for (utf8_field=ldap_first_attribute(ads->ld, + (LDAPMessage *)msg,&b); + utf8_field; + utf8_field=ldap_next_attribute(ads->ld, + (LDAPMessage *)msg,b)) { + struct berval **ber_vals; + char **str_vals, **utf8_vals; + char *field; + BOOL string; + + pull_utf8_talloc(ctx, &field, utf8_field); + string = fn(field, NULL, data_area); + + if (string) { + utf8_vals = ldap_get_values(ads->ld, + (LDAPMessage *)msg, field); + str_vals = ads_pull_strvals(ctx, + (const char **) utf8_vals); + fn(field, (void **) str_vals, data_area); + ldap_value_free(utf8_vals); + } else { + ber_vals = ldap_get_values_len(ads->ld, + (LDAPMessage *)msg, field); + fn(field, (void **) ber_vals, data_area); + + ldap_value_free_len(ber_vals); + } + ldap_memfree(utf8_field); + } + ber_free(b, 0); + talloc_destroy_pool(ctx); + fn(NULL, NULL, data_area); /* completed an entry */ + + } + talloc_destroy(ctx); +} + +/** + * count how many replies are in a LDAPMessage + * @param ads connection to ads server + * @param res Results to count + * @return number of replies + **/ +int ads_count_replies(ADS_STRUCT *ads, void *res) +{ + return ldap_count_entries(ads->ld, (LDAPMessage *)res); +} + +/** + * Join a machine to a realm + * Creates the machine account and sets the machine password + * @param ads connection to ads server + * @param hostname name of host to add + * @param org_unit Organizational unit to place machine in + * @return status of join + **/ +ADS_STATUS ads_join_realm(ADS_STRUCT *ads, const char *hostname, const char *org_unit) +{ + ADS_STATUS status; + LDAPMessage *res; + char *host; + + /* hostname must be lowercase */ + host = strdup(hostname); + strlower(host); + + status = ads_find_machine_acct(ads, (void **)&res, host); + if (ADS_ERR_OK(status) && ads_count_replies(ads, res) == 1) { + DEBUG(0, ("Host account for %s already exists - deleting old account\n", host)); + status = ads_leave_realm(ads, host); + if (!ADS_ERR_OK(status)) { + DEBUG(0, ("Failed to delete host '%s' from the '%s' realm.\n", + host, ads->config.realm)); + return status; + } + } + + status = ads_add_machine_acct(ads, host, org_unit); + if (!ADS_ERR_OK(status)) { + DEBUG(0, ("ads_add_machine_acct: %s\n", ads_errstr(status))); + return status; + } + + status = ads_find_machine_acct(ads, (void **)&res, host); + if (!ADS_ERR_OK(status)) { + DEBUG(0, ("Host account test failed\n")); + return status; + } + + free(host); + + return status; +} + +/** + * Delete a machine from the realm + * @param ads connection to ads server + * @param hostname Machine to remove + * @return status of delete + **/ +ADS_STATUS ads_leave_realm(ADS_STRUCT *ads, const char *hostname) +{ + ADS_STATUS status; + void *res; + char *hostnameDN, *host; + int rc; + + /* hostname must be lowercase */ + host = strdup(hostname); + strlower(host); + + status = ads_find_machine_acct(ads, &res, host); + if (!ADS_ERR_OK(status)) { + DEBUG(0, ("Host account for %s does not exist.\n", host)); + return status; + } + + hostnameDN = ads_get_dn(ads, (LDAPMessage *)res); + rc = ldap_delete_s(ads->ld, hostnameDN); + ads_memfree(ads, hostnameDN); + if (rc != LDAP_SUCCESS) { + return ADS_ERROR(rc); + } + + status = ads_find_machine_acct(ads, &res, host); + if (ADS_ERR_OK(status) && ads_count_replies(ads, res) == 1) { + DEBUG(0, ("Failed to remove host account.\n")); + return status; + } + + free(host); + + return status; +} + +/** + * add machine account to existing security descriptor + * @param ads connection to ads server + * @param hostname machine to add + * @param dn DN of security descriptor + * @return status + **/ +ADS_STATUS ads_set_machine_sd(ADS_STRUCT *ads, const char *hostname, char *dn) +{ + const char *attrs[] = {"nTSecurityDescriptor", "objectSid", 0}; + char *exp = 0; + size_t sd_size = 0; + struct berval bval = {0, NULL}; + prs_struct ps_wire; + char *escaped_hostname = escape_ldap_string_alloc(hostname); + + LDAPMessage *res = 0; + LDAPMessage *msg = 0; + ADS_MODLIST mods = 0; + + NTSTATUS status; + ADS_STATUS ret; + DOM_SID sid; + SEC_DESC *psd = NULL; + TALLOC_CTX *ctx = NULL; + + /* Avoid segmentation fault in prs_mem_free if + * we have to bail out before prs_init */ + ps_wire.is_dynamic = False; + + if (!ads) return ADS_ERROR(LDAP_SERVER_DOWN); + + ret = ADS_ERROR(LDAP_SUCCESS); + + if (!escaped_hostname) { + return ADS_ERROR_NT(NT_STATUS_NO_MEMORY); + } + + if (asprintf(&exp, "(samAccountName=%s$)", escaped_hostname) == -1) { + DEBUG(1, ("ads_set_machine_sd: asprintf failed!\n")); + SAFE_FREE(escaped_hostname); + return ADS_ERROR_NT(NT_STATUS_NO_MEMORY); + } + + SAFE_FREE(escaped_hostname); + + ret = ads_search(ads, (void *) &res, exp, attrs); + + if (!ADS_ERR_OK(ret)) return ret; + + if ( !(msg = ads_first_entry(ads, res) )) { + ret = ADS_ERROR(LDAP_NO_RESULTS_RETURNED); + goto ads_set_sd_error; + } + + if (!ads_pull_sid(ads, msg, attrs[1], &sid)) { + ret = ADS_ERROR_NT(NT_STATUS_INVALID_PARAMETER); + goto ads_set_sd_error; + } + + if (!(ctx = talloc_init("sec_io_desc"))) { + ret = ADS_ERROR(LDAP_NO_MEMORY); + goto ads_set_sd_error; + } + + if (!ads_pull_sd(ads, ctx, msg, attrs[0], &psd)) { + ret = ADS_ERROR_NT(NT_STATUS_INVALID_PARAMETER); + goto ads_set_sd_error; + } + + status = sec_desc_add_sid(ctx, &psd, &sid, SEC_RIGHTS_FULL_CTRL, &sd_size); + + if (!NT_STATUS_IS_OK(status)) { + ret = ADS_ERROR_NT(status); + goto ads_set_sd_error; + } + + if (!prs_init(&ps_wire, sd_size, ctx, MARSHALL)) { + ret = ADS_ERROR_NT(NT_STATUS_NO_MEMORY); + } + + if (!sec_io_desc("sd_wire", &psd, &ps_wire, 1)) { + ret = ADS_ERROR(LDAP_NO_MEMORY); + goto ads_set_sd_error; + } + +#if 0 + file_save("/tmp/sec_desc.new", ps_wire.data_p, sd_size); +#endif + if (!(mods = ads_init_mods(ctx))) return ADS_ERROR(LDAP_NO_MEMORY); + + bval.bv_len = prs_offset(&ps_wire); + bval.bv_val = talloc(ctx, bval.bv_len); + if (!bval.bv_val) { + ret = ADS_ERROR(LDAP_NO_MEMORY); + goto ads_set_sd_error; + } + + prs_set_offset(&ps_wire, 0); + + if (!prs_copy_data_out(bval.bv_val, &ps_wire, bval.bv_len)) { + ret = ADS_ERROR(LDAP_NO_MEMORY); + goto ads_set_sd_error; + } + + ret = ads_mod_ber(ctx, &mods, attrs[0], &bval); + if (ADS_ERR_OK(ret)) { + ret = ads_gen_mod(ads, dn, mods); + } + +ads_set_sd_error: + ads_msgfree(ads, res); + prs_mem_free(&ps_wire); + talloc_destroy(ctx); + return ret; +} + +/** + * pull the first entry from a ADS result + * @param ads connection to ads server + * @param res Results of search + * @return first entry from result + **/ +void *ads_first_entry(ADS_STRUCT *ads, void *res) +{ + return (void *)ldap_first_entry(ads->ld, (LDAPMessage *)res); +} + +/** + * pull the next entry from a ADS result + * @param ads connection to ads server + * @param res Results of search + * @return next entry from result + **/ +void *ads_next_entry(ADS_STRUCT *ads, void *res) +{ + return (void *)ldap_next_entry(ads->ld, (LDAPMessage *)res); +} + +/** + * pull a single string from a ADS result + * @param ads connection to ads server + * @param mem_ctx TALLOC_CTX to use for allocating result string + * @param msg Results of search + * @param field Attribute to retrieve + * @return Result string in talloc context + **/ +char *ads_pull_string(ADS_STRUCT *ads, + TALLOC_CTX *mem_ctx, void *msg, const char *field) +{ + char **values; + char *ret = NULL; + char *ux_string; + size_t rc; + + values = ldap_get_values(ads->ld, msg, field); + if (!values) + return NULL; + + if (values[0]) { + rc = pull_utf8_talloc(mem_ctx, &ux_string, + values[0]); + if (rc != (size_t)-1) + ret = ux_string; + + } + ldap_value_free(values); + return ret; +} + +/** + * pull an array of strings from a ADS result + * @param ads connection to ads server + * @param mem_ctx TALLOC_CTX to use for allocating result string + * @param msg Results of search + * @param field Attribute to retrieve + * @return Result strings in talloc context + **/ +char **ads_pull_strings(ADS_STRUCT *ads, + TALLOC_CTX *mem_ctx, void *msg, const char *field) +{ + char **values; + char **ret = NULL; + int i, n; + + values = ldap_get_values(ads->ld, msg, field); + if (!values) + return NULL; + + for (i=0;values[i];i++) + /* noop */ ; + n = i; + + ret = talloc(mem_ctx, sizeof(char *) * (n+1)); + if (!ret) { + ldap_value_free(values); + return NULL; + } + + for (i=0;ild, msg, field); + if (!values) + return False; + if (!values[0]) { + ldap_value_free(values); + return False; + } + + *v = atoi(values[0]); + ldap_value_free(values); + return True; +} + +/** + * pull a single objectGUID from an ADS result + * @param ads connection to ADS server + * @param msg results of search + * @param guid 37-byte area to receive text guid + * @return boolean indicating success + **/ +BOOL ads_pull_guid(ADS_STRUCT *ads, + void *msg, GUID *guid) +{ + char **values; + + values = ldap_get_values(ads->ld, msg, "objectGUID"); + if (!values) + return False; + + if (values[0]) { + memcpy(guid, values[0], sizeof(GUID)); + ldap_value_free(values); + return True; + } + ldap_value_free(values); + return False; + +} + + +/** + * pull a single DOM_SID from a ADS result + * @param ads connection to ads server + * @param msg Results of search + * @param field Attribute to retrieve + * @param sid Pointer to sid to store result + * @return boolean inidicating success +*/ +BOOL ads_pull_sid(ADS_STRUCT *ads, + void *msg, const char *field, DOM_SID *sid) +{ + struct berval **values; + BOOL ret = False; + + values = ldap_get_values_len(ads->ld, msg, field); + + if (!values) + return False; + + if (values[0]) + ret = sid_parse(values[0]->bv_val, values[0]->bv_len, sid); + + ldap_value_free_len(values); + return ret; +} + +/** + * pull an array of DOM_SIDs from a ADS result + * @param ads connection to ads server + * @param mem_ctx TALLOC_CTX for allocating sid array + * @param msg Results of search + * @param field Attribute to retrieve + * @param sids pointer to sid array to allocate + * @return the count of SIDs pulled + **/ +int ads_pull_sids(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, + void *msg, const char *field, DOM_SID **sids) +{ + struct berval **values; + BOOL ret; + int count, i; + + values = ldap_get_values_len(ads->ld, msg, field); + + if (!values) + return 0; + + for (i=0; values[i]; i++) + /* nop */ ; + + (*sids) = talloc(mem_ctx, sizeof(DOM_SID) * i); + if (!(*sids)) { + ldap_value_free_len(values); + return 0; + } + + count = 0; + for (i=0; values[i]; i++) { + ret = sid_parse(values[i]->bv_val, values[i]->bv_len, &(*sids)[count]); + if (ret) { + fstring sid; + DEBUG(10, ("pulling SID: %s\n", sid_to_string(sid, &(*sids)[count]))); + count++; + } + } + + ldap_value_free_len(values); + return count; +} + +/** + * pull a SEC_DESC from a ADS result + * @param ads connection to ads server + * @param mem_ctx TALLOC_CTX for allocating sid array + * @param msg Results of search + * @param field Attribute to retrieve + * @param sd Pointer to *SEC_DESC to store result (talloc()ed) + * @return boolean inidicating success +*/ +BOOL ads_pull_sd(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, + void *msg, const char *field, SEC_DESC **sd) +{ + struct berval **values; + prs_struct ps; + BOOL ret = False; + + values = ldap_get_values_len(ads->ld, msg, field); + + if (!values) return False; + + if (values[0]) { + prs_init(&ps, values[0]->bv_len, mem_ctx, UNMARSHALL); + prs_copy_data_in(&ps, values[0]->bv_val, values[0]->bv_len); + prs_set_offset(&ps,0); + + ret = sec_io_desc("sd", sd, &ps, 1); + } + + ldap_value_free_len(values); + return ret; +} + +/* + * in order to support usernames longer than 21 characters we need to + * use both the sAMAccountName and the userPrincipalName attributes + * It seems that not all users have the userPrincipalName attribute set + * + * @param ads connection to ads server + * @param mem_ctx TALLOC_CTX for allocating sid array + * @param msg Results of search + * @return the username + */ +char *ads_pull_username(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, void *msg) +{ + char *ret, *p; + + ret = ads_pull_string(ads, mem_ctx, msg, "userPrincipalName"); + if (ret && (p = strchr(ret, '@'))) { + *p = 0; + return ret; + } + return ads_pull_string(ads, mem_ctx, msg, "sAMAccountName"); +} + + +/** + * find the update serial number - this is the core of the ldap cache + * @param ads connection to ads server + * @param ads connection to ADS server + * @param usn Pointer to retrieved update serial number + * @return status of search + **/ +ADS_STATUS ads_USN(ADS_STRUCT *ads, uint32 *usn) +{ + const char *attrs[] = {"highestCommittedUSN", NULL}; + ADS_STATUS status; + void *res; + + status = ads_do_search(ads, "", LDAP_SCOPE_BASE, "(objectclass=*)", attrs, &res); + if (!ADS_ERR_OK(status)) return status; + + if (ads_count_replies(ads, res) != 1) { + return ADS_ERROR(LDAP_NO_RESULTS_RETURNED); + } + + ads_pull_uint32(ads, res, "highestCommittedUSN", usn); + ads_msgfree(ads, res); + return ADS_SUCCESS; +} + +/* parse a ADS timestring - typical string is + '20020917091222.0Z0' which means 09:12.22 17th September + 2002, timezone 0 */ +static time_t ads_parse_time(const char *str) +{ + struct tm tm; + + ZERO_STRUCT(tm); + + if (sscanf(str, "%4d%2d%2d%2d%2d%2d", + &tm.tm_year, &tm.tm_mon, &tm.tm_mday, + &tm.tm_hour, &tm.tm_min, &tm.tm_sec) != 6) { + return 0; + } + tm.tm_year -= 1900; + tm.tm_mon -= 1; + + return timegm(&tm); +} + + +/** + * Find the servers name and realm - this can be done before authentication + * The ldapServiceName field on w2k looks like this: + * vnet3.home.samba.org:win2000-vnet3$@VNET3.HOME.SAMBA.ORG + * @param ads connection to ads server + * @return status of search + **/ +ADS_STATUS ads_server_info(ADS_STRUCT *ads) +{ + const char *attrs[] = {"ldapServiceName", "currentTime", NULL}; + ADS_STATUS status; + void *res; + char *value; + char *p; + char *timestr; + TALLOC_CTX *ctx; + + if (!(ctx = talloc_init("ads_server_info"))) { + return ADS_ERROR(LDAP_NO_MEMORY); + } + + status = ads_do_search(ads, "", LDAP_SCOPE_BASE, "(objectclass=*)", attrs, &res); + if (!ADS_ERR_OK(status)) return status; + + value = ads_pull_string(ads, ctx, res, "ldapServiceName"); + if (!value) { + return ADS_ERROR(LDAP_NO_RESULTS_RETURNED); + } + + timestr = ads_pull_string(ads, ctx, res, "currentTime"); + if (!timestr) { + return ADS_ERROR(LDAP_NO_RESULTS_RETURNED); + } + + ldap_msgfree(res); + + p = strchr(value, ':'); + if (!p) { + talloc_destroy(ctx); + DEBUG(1, ("ads_server_info: returned ldap server name did not contain a ':' so was deemed invalid\n")); + return ADS_ERROR(LDAP_DECODING_ERROR); + } + + SAFE_FREE(ads->config.ldap_server_name); + + ads->config.ldap_server_name = strdup(p+1); + p = strchr(ads->config.ldap_server_name, '$'); + if (!p || p[1] != '@') { + talloc_destroy(ctx); + DEBUG(1, ("ads_server_info: returned ldap server name (%s) does not contain '$@' so was deemed invalid\n", ads->config.ldap_server_name)); + SAFE_FREE(ads->config.ldap_server_name); + return ADS_ERROR(LDAP_DECODING_ERROR); + } + + *p = 0; + + SAFE_FREE(ads->config.realm); + SAFE_FREE(ads->config.bind_path); + + ads->config.realm = strdup(p+2); + ads->config.bind_path = ads_build_dn(ads->config.realm); + + DEBUG(3,("got ldap server name %s@%s, using bind path: %s\n", + ads->config.ldap_server_name, ads->config.realm, + ads->config.bind_path)); + + ads->config.current_time = ads_parse_time(timestr); + + if (ads->config.current_time != 0) { + ads->auth.time_offset = ads->config.current_time - time(NULL); + DEBUG(4,("time offset is %d seconds\n", ads->auth.time_offset)); + } + + talloc_destroy(ctx); + + return ADS_SUCCESS; +} + + +/** + * find the list of trusted domains + * @param ads connection to ads server + * @param mem_ctx TALLOC_CTX for allocating results + * @param num_trusts pointer to number of trusts + * @param names pointer to trusted domain name list + * @param sids pointer to list of sids of trusted domains + * @return the count of SIDs pulled + **/ +ADS_STATUS ads_trusted_domains(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, + int *num_trusts, + char ***names, + char ***alt_names, + DOM_SID **sids) +{ + const char *attrs[] = {"name", "flatname", "securityIdentifier", + "trustDirection", NULL}; + ADS_STATUS status; + void *res, *msg; + int count, i; + + *num_trusts = 0; + + status = ads_search(ads, &res, "(objectcategory=trustedDomain)", attrs); + if (!ADS_ERR_OK(status)) return status; + + count = ads_count_replies(ads, res); + if (count == 0) { + ads_msgfree(ads, res); + return ADS_ERROR(LDAP_NO_RESULTS_RETURNED); + } + + (*names) = talloc(mem_ctx, sizeof(char *) * count); + (*alt_names) = talloc(mem_ctx, sizeof(char *) * count); + (*sids) = talloc(mem_ctx, sizeof(DOM_SID) * count); + if (! *names || ! *sids) return ADS_ERROR(LDAP_NO_MEMORY); + + for (i=0, msg = ads_first_entry(ads, res); msg; msg = ads_next_entry(ads, msg)) { + uint32 direction; + + /* direction is a 2 bit bitfield, 1 means they trust us + but we don't trust them, so we should not list them + as users from that domain can't login */ + if (ads_pull_uint32(ads, msg, "trustDirection", &direction) && + direction == 1) { + continue; + } + + (*names)[i] = ads_pull_string(ads, mem_ctx, msg, "name"); + (*alt_names)[i] = ads_pull_string(ads, mem_ctx, msg, "flatname"); + + if ((*alt_names)[i] && (*alt_names)[i][0]) { + /* we prefer the flatname as the primary name + for consistency with RPC */ + char *name = (*alt_names)[i]; + (*alt_names)[i] = (*names)[i]; + (*names)[i] = name; + } + if (ads_pull_sid(ads, msg, "securityIdentifier", &(*sids)[i])) { + i++; + } + } + + ads_msgfree(ads, res); + + *num_trusts = i; + + return ADS_SUCCESS; +} + +/** + * find the domain sid for our domain + * @param ads connection to ads server + * @param sid Pointer to domain sid + * @return status of search + **/ +ADS_STATUS ads_domain_sid(ADS_STRUCT *ads, DOM_SID *sid) +{ + const char *attrs[] = {"objectSid", NULL}; + void *res; + ADS_STATUS rc; + + rc = ads_do_search(ads, ads->config.bind_path, LDAP_SCOPE_BASE, "(objectclass=*)", + attrs, &res); + if (!ADS_ERR_OK(rc)) return rc; + if (!ads_pull_sid(ads, res, "objectSid", sid)) { + return ADS_ERROR_SYSTEM(ENOENT); + } + ads_msgfree(ads, res); + + return ADS_SUCCESS; +} + +/* this is rather complex - we need to find the allternate (netbios) name + for the domain, but there isn't a simple query to do this. Instead + we look for the principle names on the DCs account and find one that has + the right form, then extract the netbios name of the domain from that + + NOTE! better method is this: + +bin/net -Uadministrator%XXXXX ads search '(&(objectclass=crossref)(dnsroot=VNET3.HOME.SAMBA.ORG))' nETBIOSName + +but you need to force the bind path to match the configurationNamingContext from the rootDSE + +*/ +ADS_STATUS ads_workgroup_name(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, char **workgroup) +{ + char *exp; + ADS_STATUS rc; + char **principles; + char *prefix; + int prefix_length; + int i; + void *res; + const char *attrs[] = {"servicePrincipalName", NULL}; + + (*workgroup) = NULL; + + asprintf(&exp, "(&(objectclass=computer)(dnshostname=%s.%s))", + ads->config.ldap_server_name, ads->config.realm); + rc = ads_search(ads, &res, exp, attrs); + free(exp); + + if (!ADS_ERR_OK(rc)) { + return rc; + } + + principles = ads_pull_strings(ads, mem_ctx, res, "servicePrincipalName"); + + ads_msgfree(ads, res); + + if (!principles) { + return ADS_ERROR(LDAP_NO_RESULTS_RETURNED); + } + + asprintf(&prefix, "HOST/%s.%s/", + ads->config.ldap_server_name, + ads->config.realm); + + prefix_length = strlen(prefix); + + for (i=0;principles[i]; i++) { + if (strncasecmp(principles[i], prefix, prefix_length) == 0 && + strcasecmp(ads->config.realm, principles[i]+prefix_length) != 0 && + !strchr(principles[i]+prefix_length, '.')) { + /* found an alternate (short) name for the domain. */ + DEBUG(3,("Found alternate name '%s' for realm '%s'\n", + principles[i]+prefix_length, + ads->config.realm)); + (*workgroup) = talloc_strdup(mem_ctx, principles[i]+prefix_length); + break; + } + } + free(prefix); + + if (!*workgroup) { + return ADS_ERROR(LDAP_NO_RESULTS_RETURNED); + } + + return ADS_SUCCESS; +} + +#endif diff --git a/source4/libads/ldap_printer.c b/source4/libads/ldap_printer.c new file mode 100644 index 0000000000..f5cd4f2885 --- /dev/null +++ b/source4/libads/ldap_printer.c @@ -0,0 +1,341 @@ +/* + Unix SMB/CIFS implementation. + ads (active directory) printer utility library + Copyright (C) Jim McDonough 2002 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +*/ + +#include "includes.h" + +#ifdef HAVE_ADS + +/* + find a printer given the name and the hostname + Note that results "res" may be allocated on return so that the + results can be used. It should be freed using ads_msgfree. +*/ +ADS_STATUS ads_find_printer_on_server(ADS_STRUCT *ads, void **res, + const char *printer, const char *servername) +{ + ADS_STATUS status; + char *srv_dn, **srv_cn, *exp; + const char *attrs[] = {"*", "nTSecurityDescriptor", NULL}; + + status = ads_find_machine_acct(ads, res, servername); + if (!ADS_ERR_OK(status)) { + DEBUG(1, ("ads_add_printer: cannot find host %s in ads\n", + servername)); + return status; + } + srv_dn = ldap_get_dn(ads->ld, *res); + srv_cn = ldap_explode_dn(srv_dn, 1); + ads_msgfree(ads, *res); + + asprintf(&exp, "(cn=%s-%s)", srv_cn[0], printer); + status = ads_search(ads, res, exp, attrs); + + ldap_memfree(srv_dn); + ldap_value_free(srv_cn); + free(exp); + return status; +} + +/* + modify a printer entry in the directory +*/ +ADS_STATUS ads_mod_printer_entry(ADS_STRUCT *ads, char *prt_dn, + TALLOC_CTX *ctx, const ADS_MODLIST *mods) +{ + return ads_gen_mod(ads, prt_dn, *mods); +} + +/* + add a printer to the directory +*/ +ADS_STATUS ads_add_printer_entry(ADS_STRUCT *ads, char *prt_dn, + TALLOC_CTX *ctx, ADS_MODLIST *mods) +{ + ads_mod_str(ctx, mods, "objectClass", "printQueue"); + return ads_gen_add(ads, prt_dn, *mods); +} + +/* + map a REG_SZ to an ldap mod +*/ +static BOOL map_sz(TALLOC_CTX *ctx, ADS_MODLIST *mods, + const REGISTRY_VALUE *value) +{ + char *str_value = NULL; + ADS_STATUS status; + + if (value->type != REG_SZ) + return False; + + if (value->size && *((smb_ucs2_t *) value->data_p)) { + pull_ucs2_talloc(ctx, &str_value, (const smb_ucs2_t *) value->data_p); + status = ads_mod_str(ctx, mods, value->valuename, str_value); + return ADS_ERR_OK(status); + } + return True; + +} + +/* + map a REG_DWORD to an ldap mod +*/ +static BOOL map_dword(TALLOC_CTX *ctx, ADS_MODLIST *mods, + const REGISTRY_VALUE *value) +{ + char *str_value = NULL; + ADS_STATUS status; + + if (value->type != REG_DWORD) + return False; + str_value = talloc_asprintf(ctx, "%d", *((uint32 *) value->data_p)); + status = ads_mod_str(ctx, mods, value->valuename, str_value); + return ADS_ERR_OK(status); +} + +/* + map a boolean REG_BINARY to an ldap mod +*/ +static BOOL map_bool(TALLOC_CTX *ctx, ADS_MODLIST *mods, + const REGISTRY_VALUE *value) +{ + char *str_value; + ADS_STATUS status; + + if ((value->type != REG_BINARY) || (value->size != 1)) + return False; + str_value = talloc_asprintf(ctx, "%s", + *(value->data_p) ? "TRUE" : "FALSE"); + status = ads_mod_str(ctx, mods, value->valuename, str_value); + return ADS_ERR_OK(status); +} + +/* + map a REG_MULTI_SZ to an ldap mod +*/ +static BOOL map_multi_sz(TALLOC_CTX *ctx, ADS_MODLIST *mods, + const REGISTRY_VALUE *value) +{ + char **str_values = NULL; + smb_ucs2_t *cur_str = (smb_ucs2_t *) value->data_p; + uint32 size = 0, num_vals = 0, i=0; + ADS_STATUS status; + + if (value->type != REG_MULTI_SZ) + return False; + + while(cur_str && *cur_str && (size < value->size)) { + size += 2 * (strlen_w(cur_str) + 1); + cur_str += strlen_w(cur_str) + 1; + num_vals++; + }; + + if (num_vals) { + str_values = talloc(ctx, + (num_vals + 1) * sizeof(smb_ucs2_t *)); + memset(str_values, '\0', + (num_vals + 1) * sizeof(smb_ucs2_t *)); + + cur_str = (smb_ucs2_t *) value->data_p; + for (i=0; i < num_vals; i++) + cur_str += pull_ucs2_talloc(ctx, &str_values[i], + cur_str); + + status = ads_mod_strlist(ctx, mods, value->valuename, + (const char **) str_values); + return ADS_ERR_OK(status); + } + return True; +} + +struct valmap_to_ads { + const char *valname; + BOOL (*fn)(TALLOC_CTX *, ADS_MODLIST *, const REGISTRY_VALUE *); +}; + +/* + map a REG_SZ to an ldap mod +*/ +static void map_regval_to_ads(TALLOC_CTX *ctx, ADS_MODLIST *mods, + REGISTRY_VALUE *value) +{ + const struct valmap_to_ads map[] = { + {SPOOL_REG_ASSETNUMBER, map_sz}, + {SPOOL_REG_BYTESPERMINUTE, map_dword}, + {SPOOL_REG_DEFAULTPRIORITY, map_dword}, + {SPOOL_REG_DESCRIPTION, map_sz}, + {SPOOL_REG_DRIVERNAME, map_sz}, + {SPOOL_REG_DRIVERVERSION, map_dword}, + {SPOOL_REG_FLAGS, map_dword}, + {SPOOL_REG_LOCATION, map_sz}, + {SPOOL_REG_OPERATINGSYSTEM, map_sz}, + {SPOOL_REG_OPERATINGSYSTEMHOTFIX, map_sz}, + {SPOOL_REG_OPERATINGSYSTEMSERVICEPACK, map_sz}, + {SPOOL_REG_OPERATINGSYSTEMVERSION, map_sz}, + {SPOOL_REG_PORTNAME, map_multi_sz}, + {SPOOL_REG_PRINTATTRIBUTES, map_dword}, + {SPOOL_REG_PRINTBINNAMES, map_multi_sz}, + {SPOOL_REG_PRINTCOLLATE, map_bool}, + {SPOOL_REG_PRINTCOLOR, map_bool}, + {SPOOL_REG_PRINTDUPLEXSUPPORTED, map_bool}, + {SPOOL_REG_PRINTENDTIME, map_dword}, + {SPOOL_REG_PRINTFORMNAME, map_sz}, + {SPOOL_REG_PRINTKEEPPRINTEDJOBS, map_bool}, + {SPOOL_REG_PRINTLANGUAGE, map_multi_sz}, + {SPOOL_REG_PRINTMACADDRESS, map_sz}, + {SPOOL_REG_PRINTMAXCOPIES, map_sz}, + {SPOOL_REG_PRINTMAXRESOLUTIONSUPPORTED, map_dword}, + {SPOOL_REG_PRINTMAXXEXTENT, map_dword}, + {SPOOL_REG_PRINTMAXYEXTENT, map_dword}, + {SPOOL_REG_PRINTMEDIAREADY, map_multi_sz}, + {SPOOL_REG_PRINTMEDIASUPPORTED, map_multi_sz}, + {SPOOL_REG_PRINTMEMORY, map_dword}, + {SPOOL_REG_PRINTMINXEXTENT, map_dword}, + {SPOOL_REG_PRINTMINYEXTENT, map_dword}, + {SPOOL_REG_PRINTNETWORKADDRESS, map_sz}, + {SPOOL_REG_PRINTNOTIFY, map_sz}, + {SPOOL_REG_PRINTNUMBERUP, map_dword}, + {SPOOL_REG_PRINTORIENTATIONSSUPPORTED, map_multi_sz}, + {SPOOL_REG_PRINTOWNER, map_sz}, + {SPOOL_REG_PRINTPAGESPERMINUTE, map_dword}, + {SPOOL_REG_PRINTRATE, map_dword}, + {SPOOL_REG_PRINTRATEUNIT, map_sz}, + {SPOOL_REG_PRINTSEPARATORFILE, map_sz}, + {SPOOL_REG_PRINTSHARENAME, map_sz}, + {SPOOL_REG_PRINTSPOOLING, map_sz}, + {SPOOL_REG_PRINTSTAPLINGSUPPORTED, map_bool}, + {SPOOL_REG_PRINTSTARTTIME, map_dword}, + {SPOOL_REG_PRINTSTATUS, map_sz}, + {SPOOL_REG_PRIORITY, map_dword}, + {SPOOL_REG_SERVERNAME, map_sz}, + {SPOOL_REG_SHORTSERVERNAME, map_sz}, + {SPOOL_REG_UNCNAME, map_sz}, + {SPOOL_REG_URL, map_sz}, + {SPOOL_REG_VERSIONNUMBER, map_dword}, + {NULL, NULL} + }; + int i; + + for (i=0; map[i].valname; i++) { + if (StrCaseCmp(map[i].valname, value->valuename) == 0) { + if (!map[i].fn(ctx, mods, value)) { + DEBUG(5, ("Add of value %s to modlist failed\n", value->valuename)); + } else { + DEBUG(7, ("Mapped value %s\n", value->valuename)); + } + + } + } +} + + +WERROR get_remote_printer_publishing_data(struct cli_state *cli, + TALLOC_CTX *mem_ctx, + ADS_MODLIST *mods, + const char *printer) +{ + WERROR result; + char *printername, *servername; + REGVAL_CTR dsdriver_ctr, dsspooler_ctr; + BOOL got_dsdriver = False, got_dsspooler = False; + uint32 needed, i; + POLICY_HND pol; + + asprintf(&servername, "\\\\%s", cli->desthost); + asprintf(&printername, "%s\\%s", servername, printer); + if (!servername || !printername) { + DEBUG(3, ("Insufficient memory\n")); + return WERR_NOMEM; + } + + result = cli_spoolss_open_printer_ex(cli, mem_ctx, printername, + "", MAXIMUM_ALLOWED_ACCESS, + servername, cli->user_name, &pol); + if (!W_ERROR_IS_OK(result)) { + DEBUG(3, ("Unable to open printer %s, error is %s.\n", + printername, dos_errstr(result))); + return result; + } + + result = cli_spoolss_enumprinterdataex(cli, mem_ctx, 0, &needed, + &pol, SPOOL_DSDRIVER_KEY, NULL); + + if (W_ERROR_V(result) == ERRmoredata) + result = cli_spoolss_enumprinterdataex(cli, mem_ctx, needed, + NULL, &pol, + SPOOL_DSDRIVER_KEY, + &dsdriver_ctr); + + if (!W_ERROR_IS_OK(result)) { + DEBUG(3, ("Unable to do enumdataex on %s, error is %s.\n", + printername, dos_errstr(result))); + } else { + + /* Have the data we need now, so start building */ + got_dsdriver = True; + for (i=0; i < dsdriver_ctr.num_values; i++) + map_regval_to_ads(mem_ctx, mods, + dsdriver_ctr.values[i]); + } + + result = cli_spoolss_enumprinterdataex(cli, mem_ctx, 0, &needed, + &pol, SPOOL_DSSPOOLER_KEY, + NULL); + + if (W_ERROR_V(result) == ERRmoredata) + result = cli_spoolss_enumprinterdataex(cli, mem_ctx, needed, + NULL, &pol, + SPOOL_DSSPOOLER_KEY, + &dsspooler_ctr); + + if (!W_ERROR_IS_OK(result)) { + DEBUG(3, ("Unable to do enumdataex on %s, error is %s.\n", + printername, dos_errstr(result))); + } else { + got_dsspooler = True; + for (i=0; i < dsspooler_ctr.num_values; i++) + map_regval_to_ads(mem_ctx, mods, + dsspooler_ctr.values[i]); + } + + ads_mod_str(mem_ctx, mods, SPOOL_REG_PRINTERNAME, printer); + + if (got_dsdriver) regval_ctr_destroy(&dsdriver_ctr); + if (got_dsspooler) regval_ctr_destroy(&dsspooler_ctr); + cli_spoolss_close_printer(cli, mem_ctx, &pol); + + return result; +} + +BOOL get_local_printer_publishing_data(TALLOC_CTX *mem_ctx, + ADS_MODLIST *mods, + NT_PRINTER_DATA *data) +{ + uint32 key,val; + + for (key=0; key < data->num_keys; key++) { + REGVAL_CTR ctr = data->keys[key].values; + for (val=0; val < ctr.num_values; val++) + map_regval_to_ads(mem_ctx, mods, ctr.values[val]); + } + return True; +} + +#endif + diff --git a/source4/libads/ldap_user.c b/source4/libads/ldap_user.c new file mode 100644 index 0000000000..7efe5338f3 --- /dev/null +++ b/source4/libads/ldap_user.c @@ -0,0 +1,119 @@ +/* + Unix SMB/CIFS implementation. + ads (active directory) utility library + Copyright (C) Jim McDonough 2002 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +*/ + +#include "includes.h" + +#ifdef HAVE_ADS + +/* + find a user account +*/ +ADS_STATUS ads_find_user_acct(ADS_STRUCT *ads, void **res, const char *user) +{ + ADS_STATUS status; + char *exp; + const char *attrs[] = {"*", NULL}; + char *escaped_user = escape_ldap_string_alloc(user); + if (!escaped_user) { + return ADS_ERROR(LDAP_NO_MEMORY); + } + + asprintf(&exp, "(samAccountName=%s)", escaped_user); + status = ads_search(ads, res, exp, attrs); + SAFE_FREE(exp); + SAFE_FREE(escaped_user); + return status; +} + +ADS_STATUS ads_add_user_acct(ADS_STRUCT *ads, const char *user, + const char *container, const char *fullname) +{ + TALLOC_CTX *ctx; + ADS_MODLIST mods; + ADS_STATUS status; + const char *upn, *new_dn, *name, *controlstr; + const char *objectClass[] = {"top", "person", "organizationalPerson", + "user", NULL}; + + if (fullname && *fullname) name = fullname; + else name = user; + + if (!(ctx = talloc_init("ads_add_user_acct"))) + return ADS_ERROR(LDAP_NO_MEMORY); + + status = ADS_ERROR(LDAP_NO_MEMORY); + + if (!(upn = talloc_asprintf(ctx, "%s@%s", user, ads->config.realm))) + goto done; + if (!(new_dn = talloc_asprintf(ctx, "cn=%s,%s,%s", name, container, + ads->config.bind_path))) + goto done; + if (!(controlstr = talloc_asprintf(ctx, "%u", UF_NORMAL_ACCOUNT))) + goto done; + if (!(mods = ads_init_mods(ctx))) + goto done; + + ads_mod_str(ctx, &mods, "cn", name); + ads_mod_strlist(ctx, &mods, "objectClass", objectClass); + ads_mod_str(ctx, &mods, "userPrincipalName", upn); + ads_mod_str(ctx, &mods, "name", name); + ads_mod_str(ctx, &mods, "displayName", name); + ads_mod_str(ctx, &mods, "sAMAccountName", user); + ads_mod_str(ctx, &mods, "userAccountControl", controlstr); + status = ads_gen_add(ads, new_dn, mods); + + done: + talloc_destroy(ctx); + return status; +} + +ADS_STATUS ads_add_group_acct(ADS_STRUCT *ads, const char *group, + const char *container, const char *comment) +{ + TALLOC_CTX *ctx; + ADS_MODLIST mods; + ADS_STATUS status; + char *new_dn; + const char *objectClass[] = {"top", "group", NULL}; + + if (!(ctx = talloc_init("ads_add_group_acct"))) + return ADS_ERROR(LDAP_NO_MEMORY); + + status = ADS_ERROR(LDAP_NO_MEMORY); + + if (!(new_dn = talloc_asprintf(ctx, "cn=%s,%s,%s", group, container, + ads->config.bind_path))) + goto done; + if (!(mods = ads_init_mods(ctx))) + goto done; + + ads_mod_str(ctx, &mods, "cn", group); + ads_mod_strlist(ctx, &mods, "objectClass",objectClass); + ads_mod_str(ctx, &mods, "name", group); + if (comment && *comment) + ads_mod_str(ctx, &mods, "description", comment); + ads_mod_str(ctx, &mods, "sAMAccountName", group); + status = ads_gen_add(ads, new_dn, mods); + + done: + talloc_destroy(ctx); + return status; +} +#endif diff --git a/source4/libads/ldap_utils.c b/source4/libads/ldap_utils.c new file mode 100644 index 0000000000..907f7c8aff --- /dev/null +++ b/source4/libads/ldap_utils.c @@ -0,0 +1,96 @@ +/* + Unix SMB/CIFS implementation. + + Some Helpful wrappers on LDAP + + Copyright (C) Andrew Tridgell 2001 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +*/ + +#include "includes.h" + +#ifdef HAVE_LDAP +/* + a wrapper around ldap_search_s that retries depending on the error code + this is supposed to catch dropped connections and auto-reconnect +*/ +ADS_STATUS ads_do_search_retry(ADS_STRUCT *ads, const char *bind_path, int scope, + const char *exp, + const char **attrs, void **res) +{ + ADS_STATUS status; + int count = 3; + char *bp; + + if (!ads->ld && + time(NULL) - ads->last_attempt < ADS_RECONNECT_TIME) { + return ADS_ERROR(LDAP_SERVER_DOWN); + } + + bp = strdup(bind_path); + + if (!bp) + return ADS_ERROR_NT(NT_STATUS_NO_MEMORY); + + while (count--) { + status = ads_do_search_all(ads, bp, scope, exp, attrs, res); + if (ADS_ERR_OK(status)) { + DEBUG(5,("Search for %s gave %d replies\n", + exp, ads_count_replies(ads, *res))); + free(bp); + return status; + } + + if (*res) ads_msgfree(ads, *res); + *res = NULL; + DEBUG(3,("Reopening ads connection to realm '%s' after error %s\n", + ads->config.realm, ads_errstr(status))); + if (ads->ld) { + ldap_unbind(ads->ld); + } + ads->ld = NULL; + status = ads_connect(ads); + if (!ADS_ERR_OK(status)) { + DEBUG(1,("ads_search_retry: failed to reconnect (%s)\n", + ads_errstr(status))); + ads_destroy(&ads); + free(bp); + return status; + } + } + free(bp); + + DEBUG(1,("ads reopen failed after error %s\n", ads_errstr(status))); + return status; +} + + +ADS_STATUS ads_search_retry(ADS_STRUCT *ads, void **res, + const char *exp, + const char **attrs) +{ + return ads_do_search_retry(ads, ads->config.bind_path, LDAP_SCOPE_SUBTREE, + exp, attrs, res); +} + +ADS_STATUS ads_search_retry_dn(ADS_STRUCT *ads, void **res, + const char *dn, + const char **attrs) +{ + return ads_do_search_retry(ads, dn, LDAP_SCOPE_BASE, + "(objectclass=*)", attrs, res); +} +#endif diff --git a/source4/libads/sasl.c b/source4/libads/sasl.c new file mode 100644 index 0000000000..c33255bf56 --- /dev/null +++ b/source4/libads/sasl.c @@ -0,0 +1,427 @@ +/* + Unix SMB/CIFS implementation. + ads sasl code + Copyright (C) Andrew Tridgell 2001 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +*/ + +#include "includes.h" + +#ifdef HAVE_LDAP + +/* + perform a LDAP/SASL/SPNEGO/NTLMSSP bind (just how many layers can + we fit on one socket??) +*/ +static ADS_STATUS ads_sasl_spnego_ntlmssp_bind(ADS_STRUCT *ads) +{ + const char *mechs[] = {OID_NTLMSSP, NULL}; + DATA_BLOB msg1; + DATA_BLOB blob, chal1, chal2, auth; + uint8 challenge[8]; + uint8 nthash[24], lmhash[24], sess_key[16]; + uint32 neg_flags; + struct berval cred, *scred; + ADS_STATUS status; + int rc; + + if (!ads->auth.password) { + /* No password, don't segfault below... */ + return ADS_ERROR_NT(NT_STATUS_LOGON_FAILURE); + } + + neg_flags = NTLMSSP_NEGOTIATE_UNICODE | + NTLMSSP_NEGOTIATE_128 | + NTLMSSP_NEGOTIATE_NTLM; + + memset(sess_key, 0, 16); + + /* generate the ntlmssp negotiate packet */ + msrpc_gen(&blob, "CddB", + "NTLMSSP", + NTLMSSP_NEGOTIATE, + neg_flags, + sess_key, 16); + + /* and wrap it in a SPNEGO wrapper */ + msg1 = gen_negTokenTarg(mechs, blob); + data_blob_free(&blob); + + cred.bv_val = msg1.data; + cred.bv_len = msg1.length; + + rc = ldap_sasl_bind_s(ads->ld, NULL, "GSS-SPNEGO", &cred, NULL, NULL, &scred); + if (rc != LDAP_SASL_BIND_IN_PROGRESS) { + status = ADS_ERROR(rc); + goto failed; + } + + blob = data_blob(scred->bv_val, scred->bv_len); + + /* the server gives us back two challenges */ + if (!spnego_parse_challenge(blob, &chal1, &chal2)) { + DEBUG(3,("Failed to parse challenges\n")); + status = ADS_ERROR(LDAP_OPERATIONS_ERROR); + goto failed; + } + + data_blob_free(&blob); + + /* encrypt the password with the challenge */ + memcpy(challenge, chal1.data + 24, 8); + SMBencrypt(ads->auth.password, challenge,lmhash); + SMBNTencrypt(ads->auth.password, challenge,nthash); + + data_blob_free(&chal1); + data_blob_free(&chal2); + + /* this generates the actual auth packet */ + msrpc_gen(&blob, "CdBBUUUBd", + "NTLMSSP", + NTLMSSP_AUTH, + lmhash, 24, + nthash, 24, + lp_workgroup(), + ads->auth.user_name, + lp_netbios_name(), + sess_key, 16, + neg_flags); + + /* wrap it in SPNEGO */ + auth = spnego_gen_auth(blob); + + data_blob_free(&blob); + + /* now send the auth packet and we should be done */ + cred.bv_val = auth.data; + cred.bv_len = auth.length; + + rc = ldap_sasl_bind_s(ads->ld, NULL, "GSS-SPNEGO", &cred, NULL, NULL, &scred); + + return ADS_ERROR(rc); + +failed: + return status; +} + +/* + perform a LDAP/SASL/SPNEGO/KRB5 bind +*/ +static ADS_STATUS ads_sasl_spnego_krb5_bind(ADS_STRUCT *ads, const char *principal) +{ + DATA_BLOB blob; + struct berval cred, *scred; + int rc; + + blob = spnego_gen_negTokenTarg(principal, ads->auth.time_offset); + + if (!blob.data) { + return ADS_ERROR(LDAP_OPERATIONS_ERROR); + } + + /* now send the auth packet and we should be done */ + cred.bv_val = blob.data; + cred.bv_len = blob.length; + + rc = ldap_sasl_bind_s(ads->ld, NULL, "GSS-SPNEGO", &cred, NULL, NULL, &scred); + + data_blob_free(&blob); + + return ADS_ERROR(rc); +} + +/* + this performs a SASL/SPNEGO bind +*/ +static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads) +{ + struct berval *scred=NULL; + int rc, i; + ADS_STATUS status; + DATA_BLOB blob; + char *principal; + char *OIDs[ASN1_MAX_OIDS]; + BOOL got_kerberos_mechanism = False; + + rc = ldap_sasl_bind_s(ads->ld, NULL, "GSS-SPNEGO", NULL, NULL, NULL, &scred); + + if (rc != LDAP_SASL_BIND_IN_PROGRESS) { + status = ADS_ERROR(rc); + goto failed; + } + + blob = data_blob(scred->bv_val, scred->bv_len); + +#if 0 + file_save("sasl_spnego.dat", blob.data, blob.length); +#endif + + /* the server sent us the first part of the SPNEGO exchange in the negprot + reply */ + if (!spnego_parse_negTokenInit(blob, OIDs, &principal)) { + data_blob_free(&blob); + status = ADS_ERROR(LDAP_OPERATIONS_ERROR); + goto failed; + } + data_blob_free(&blob); + + /* make sure the server understands kerberos */ + for (i=0;OIDs[i];i++) { + DEBUG(3,("got OID=%s\n", OIDs[i])); + if (strcmp(OIDs[i], OID_KERBEROS5_OLD) == 0 || + strcmp(OIDs[i], OID_KERBEROS5) == 0) { + got_kerberos_mechanism = True; + } + free(OIDs[i]); + } + DEBUG(3,("got principal=%s\n", principal)); + +#ifdef HAVE_KRB5 + if (!(ads->auth.flags & ADS_AUTH_DISABLE_KERBEROS) && + got_kerberos_mechanism) { + status = ads_sasl_spnego_krb5_bind(ads, principal); + if (ADS_ERR_OK(status)) + return status; + if (ads_kinit_password(ads) == 0) { + status = ads_sasl_spnego_krb5_bind(ads, principal); + } + if (ADS_ERR_OK(status)) + return status; + } +#endif + + /* lets do NTLMSSP ... this has the big advantage that we don't need + to sync clocks, and we don't rely on special versions of the krb5 + library for HMAC_MD4 encryption */ + return ads_sasl_spnego_ntlmssp_bind(ads); + +failed: + return status; +} + +#ifdef HAVE_GSSAPI +#define MAX_GSS_PASSES 3 + +/* this performs a SASL/gssapi bind + we avoid using cyrus-sasl to make Samba more robust. cyrus-sasl + is very dependent on correctly configured DNS whereas + this routine is much less fragile + see RFC2078 and RFC2222 for details +*/ +static ADS_STATUS ads_sasl_gssapi_bind(ADS_STRUCT *ads) +{ + int minor_status; + gss_name_t serv_name; + gss_buffer_desc input_name; + gss_ctx_id_t context_handle; + gss_OID mech_type = GSS_C_NULL_OID; + gss_buffer_desc output_token, input_token; + OM_uint32 ret_flags, conf_state; + struct berval cred; + struct berval *scred; + int i=0; + int gss_rc, rc; + uint8 *p; + uint32 max_msg_size; + char *sname; + unsigned sec_layer; + ADS_STATUS status; + krb5_principal principal; + krb5_context ctx; + krb5_enctype enc_types[] = { +#ifdef ENCTYPE_ARCFOUR_HMAC + ENCTYPE_ARCFOUR_HMAC, +#endif + ENCTYPE_DES_CBC_MD5, + ENCTYPE_NULL}; + gss_OID_desc nt_principal = + {10, "\052\206\110\206\367\022\001\002\002\002"}; + + /* we need to fetch a service ticket as the ldap user in the + servers realm, regardless of our realm */ + asprintf(&sname, "ldap/%s@%s", ads->config.ldap_server_name, ads->config.realm); + krb5_init_context(&ctx); + krb5_set_default_tgs_ktypes(ctx, enc_types); + krb5_parse_name(ctx, sname, &principal); + free(sname); + krb5_free_context(ctx); + + input_name.value = &principal; + input_name.length = sizeof(principal); + + gss_rc = gss_import_name(&minor_status,&input_name,&nt_principal, &serv_name); + if (gss_rc) { + return ADS_ERROR_GSS(gss_rc, minor_status); + } + + context_handle = GSS_C_NO_CONTEXT; + + input_token.value = NULL; + input_token.length = 0; + + for (i=0; i < MAX_GSS_PASSES; i++) { + gss_rc = gss_init_sec_context(&minor_status, + GSS_C_NO_CREDENTIAL, + &context_handle, + serv_name, + mech_type, + GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG, + 0, + NULL, + &input_token, + NULL, + &output_token, + &ret_flags, + NULL); + + if (input_token.value) { + gss_release_buffer(&minor_status, &input_token); + } + + if (gss_rc && gss_rc != GSS_S_CONTINUE_NEEDED) { + status = ADS_ERROR_GSS(gss_rc, minor_status); + goto failed; + } + + cred.bv_val = output_token.value; + cred.bv_len = output_token.length; + + rc = ldap_sasl_bind_s(ads->ld, NULL, "GSSAPI", &cred, NULL, NULL, + &scred); + if (rc != LDAP_SASL_BIND_IN_PROGRESS) { + status = ADS_ERROR(rc); + goto failed; + } + + if (output_token.value) { + gss_release_buffer(&minor_status, &output_token); + } + + if (scred) { + input_token.value = scred->bv_val; + input_token.length = scred->bv_len; + } else { + input_token.value = NULL; + input_token.length = 0; + } + + if (gss_rc == 0) break; + } + + gss_release_name(&minor_status, &serv_name); + + gss_rc = gss_unwrap(&minor_status,context_handle,&input_token,&output_token, + &conf_state,NULL); + if (gss_rc) { + status = ADS_ERROR_GSS(gss_rc, minor_status); + goto failed; + } + + gss_release_buffer(&minor_status, &input_token); + + p = (uint8 *)output_token.value; + + file_save("sasl_gssapi.dat", output_token.value, output_token.length); + + max_msg_size = (p[1]<<16) | (p[2]<<8) | p[3]; + sec_layer = *p; + + gss_release_buffer(&minor_status, &output_token); + + output_token.value = malloc(strlen(ads->config.bind_path) + 8); + p = output_token.value; + + *p++ = 1; /* no sign & seal selection */ + /* choose the same size as the server gave us */ + *p++ = max_msg_size>>16; + *p++ = max_msg_size>>8; + *p++ = max_msg_size; + snprintf(p, strlen(ads->config.bind_path)+4, "dn:%s", ads->config.bind_path); + p += strlen(p); + + output_token.length = PTR_DIFF(p, output_token.value); + + gss_rc = gss_wrap(&minor_status, context_handle,0,GSS_C_QOP_DEFAULT, + &output_token, &conf_state, + &input_token); + if (gss_rc) { + status = ADS_ERROR_GSS(gss_rc, minor_status); + goto failed; + } + + free(output_token.value); + + cred.bv_val = input_token.value; + cred.bv_len = input_token.length; + + rc = ldap_sasl_bind_s(ads->ld, NULL, "GSSAPI", &cred, NULL, NULL, + &scred); + status = ADS_ERROR(rc); + + gss_release_buffer(&minor_status, &input_token); + +failed: + return status; +} +#endif + +/* mapping between SASL mechanisms and functions */ +static struct { + const char *name; + ADS_STATUS (*fn)(ADS_STRUCT *); +} sasl_mechanisms[] = { + {"GSS-SPNEGO", ads_sasl_spnego_bind}, +#ifdef HAVE_GSSAPI + {"GSSAPI", ads_sasl_gssapi_bind}, /* doesn't work with .NET RC1. No idea why */ +#endif + {NULL, NULL} +}; + +ADS_STATUS ads_sasl_bind(ADS_STRUCT *ads) +{ + const char *attrs[] = {"supportedSASLMechanisms", NULL}; + char **values; + ADS_STATUS status; + int i, j; + void *res; + + /* get a list of supported SASL mechanisms */ + status = ads_do_search(ads, "", LDAP_SCOPE_BASE, "(objectclass=*)", attrs, &res); + if (!ADS_ERR_OK(status)) return status; + + values = ldap_get_values(ads->ld, res, "supportedSASLMechanisms"); + + /* try our supported mechanisms in order */ + for (i=0;sasl_mechanisms[i].name;i++) { + /* see if the server supports it */ + for (j=0;values && values[j];j++) { + if (strcmp(values[j], sasl_mechanisms[i].name) == 0) { + DEBUG(4,("Found SASL mechanism %s\n", values[j])); + status = sasl_mechanisms[i].fn(ads); + ldap_value_free(values); + ldap_msgfree(res); + return status; + } + } + } + + ldap_value_free(values); + ldap_msgfree(res); + return ADS_ERROR(LDAP_AUTH_METHOD_NOT_SUPPORTED); +} + +#endif + diff --git a/source4/libads/util.c b/source4/libads/util.c new file mode 100644 index 0000000000..335cabc952 --- /dev/null +++ b/source4/libads/util.c @@ -0,0 +1,60 @@ +/* + Unix SMB/CIFS implementation. + krb5 set password implementation + Copyright (C) Remus Koos 2001 (remuskoos@yahoo.com) + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +*/ + +#include "includes.h" + +#ifdef HAVE_KRB5 + +ADS_STATUS ads_change_trust_account_password(ADS_STRUCT *ads, char *host_principal) +{ + char *tmp_password; + char *password; + char *new_password; + char *service_principal; + ADS_STATUS ret; + + if ((password = secrets_fetch_machine_password()) == NULL) { + DEBUG(1,("Failed to retrieve password for principal %s\n", host_principal)); + return ADS_ERROR_SYSTEM(ENOENT); + } + + tmp_password = generate_random_str(DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH); + new_password = strdup(tmp_password); + asprintf(&service_principal, "HOST/%s", host_principal); + + ret = kerberos_set_password(ads->auth.kdc_server, service_principal, password, service_principal, new_password, ads->auth.time_offset); + + if (!ADS_ERR_OK(ret)) goto failed; + + if (!secrets_store_machine_password(new_password)) { + DEBUG(1,("Failed to save machine password\n")); + return ADS_ERROR_SYSTEM(EACCES); + } + +failed: + SAFE_FREE(service_principal); + SAFE_FREE(new_password); + + return ret; +} + + + +#endif -- cgit