diff options
Diffstat (limited to 'src')
-rw-r--r-- | src/providers/ad/ad_domain_info.c | 350 | ||||
-rw-r--r-- | src/providers/ad/ad_domain_info.h | 41 | ||||
-rw-r--r-- | src/providers/ad/ad_init.c | 2 | ||||
-rw-r--r-- | src/providers/ad/ad_subdomains.c | 235 |
4 files changed, 414 insertions, 214 deletions
diff --git a/src/providers/ad/ad_domain_info.c b/src/providers/ad/ad_domain_info.c new file mode 100644 index 00000000..b0c8652c --- /dev/null +++ b/src/providers/ad/ad_domain_info.c @@ -0,0 +1,350 @@ +/* + SSSD + + AD Domain Info Module + + Authors: + Sumit Bose <sbose@redhat.com> + + Copyright (C) 2013 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +#include <errno.h> +#include <tevent.h> +#include <ctype.h> +#include <ndr.h> +#include <ndr/ndr_nbt.h> + +#include "providers/ldap/sdap.h" +#include "providers/ldap/sdap_async.h" +#include "providers/ldap/sdap_idmap.h" +#include "util/util.h" + +#define AD_AT_OBJECT_SID "objectSID" +#define AD_AT_DNS_DOMAIN "DnsDomain" +#define AD_AT_NT_VERSION "NtVer" +#define AD_AT_NETLOGON "netlogon" + +#define MASTER_DOMAIN_SID_FILTER "objectclass=domain" + +struct ad_master_domain_state { + struct tevent_context *ev; + struct sdap_id_conn_ctx *conn; + struct sdap_id_op *id_op; + struct sdap_id_ctx *id_ctx; + struct sdap_options *opts; + + const char *dom_name; + int base_iter; + + char *flat; + char *sid; +}; + +static errno_t ad_master_domain_next(struct tevent_req *req); +static void ad_master_domain_next_done(struct tevent_req *subreq); +static void ad_master_domain_netlogon_done(struct tevent_req *req); + +struct tevent_req * +ad_master_domain_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct sdap_id_conn_ctx *conn, + struct sdap_id_op *op, + const char *dom_name) +{ + errno_t ret; + struct tevent_req *req; + struct ad_master_domain_state *state; + + req = tevent_req_create(mem_ctx, &state, struct ad_master_domain_state); + if (!req) return NULL; + + state->ev = ev; + state->id_op = op; + state->conn = conn; + state->id_ctx = conn->id_ctx; + state->opts = conn->id_ctx->opts; + state->dom_name = dom_name; + + ret = ad_master_domain_next(req); + if (ret != EOK && ret != EAGAIN) { + goto immediate; + } + + return req; + +immediate: + if (ret != EOK) { + tevent_req_error(req, ret); + } else { + tevent_req_done(req); + } + tevent_req_post(req, ev); + return req; +} + +static errno_t +ad_master_domain_next(struct tevent_req *req) +{ + struct tevent_req *subreq; + struct sdap_search_base *base; + const char *master_sid_attrs[] = {AD_AT_OBJECT_SID, NULL}; + + struct ad_master_domain_state *state = + tevent_req_data(req, struct ad_master_domain_state); + + base = state->opts->sdom->search_bases[state->base_iter]; + if (base == NULL) { + return EOK; + } + + subreq = sdap_get_generic_send(state, state->ev, + state->id_ctx->opts, + sdap_id_op_handle(state->id_op), + base->basedn, LDAP_SCOPE_BASE, + MASTER_DOMAIN_SID_FILTER, master_sid_attrs, + NULL, 0, + dp_opt_get_int(state->opts->basic, + SDAP_SEARCH_TIMEOUT), + false); + if (subreq == NULL) { + DEBUG(SSSDBG_OP_FAILURE, ("sdap_get_generic_send failed.\n")); + return ENOMEM; + } + tevent_req_set_callback(subreq, ad_master_domain_next_done, req); + + return EAGAIN; +} + +static void +ad_master_domain_next_done(struct tevent_req *subreq) +{ + errno_t ret; + size_t reply_count; + struct sysdb_attrs **reply = NULL; + struct ldb_message_element *el; + char *sid_str; + enum idmap_error_code err; + static const char *attrs[] = {AD_AT_NETLOGON, NULL}; + char *filter; + char *ntver; + + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct ad_master_domain_state *state = + tevent_req_data(req, struct ad_master_domain_state); + + ret = sdap_get_generic_recv(subreq, state, &reply_count, &reply); + talloc_zfree(subreq); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, ("sdap_get_generic_send request failed.\n")); + goto done; + } + + if (reply_count == 0) { + state->base_iter++; + ret = ad_master_domain_next(req); + if (ret == EAGAIN) { + /* Async request will get us back here again */ + return; + } else if (ret != EOK) { + goto done; + } + + /* EOK */ + tevent_req_done(req); + return; + } else if (reply_count == 1) { + ret = sysdb_attrs_get_el(reply[0], AD_AT_OBJECT_SID, &el); + if (ret != EOK || el->num_values != 1) { + DEBUG(SSSDBG_OP_FAILURE, ("sdap_attrs_get_el failed.\n")); + goto done; + } + + err = sss_idmap_bin_sid_to_sid(state->opts->idmap_ctx->map, + el->values[0].data, + el->values[0].length, + &sid_str); + if (err != IDMAP_SUCCESS) { + DEBUG(SSSDBG_MINOR_FAILURE, + ("Could not convert SID: [%s].\n", idmap_error_string(err))); + ret = EFAULT; + goto done; + } + + state->sid = talloc_steal(state, sid_str); + } else { + DEBUG(SSSDBG_OP_FAILURE, + ("More than one result for domain SID found.\n")); + ret = EINVAL; + goto done; + } + + DEBUG(SSSDBG_TRACE_FUNC, ("Found SID [%s].\n", state->sid)); + + ntver = sss_ldap_encode_ndr_uint32(state, NETLOGON_NT_VERSION_5EX | + NETLOGON_NT_VERSION_WITH_CLOSEST_SITE); + if (ntver == NULL) { + DEBUG(SSSDBG_OP_FAILURE, ("sss_ldap_encode_ndr_uint32 failed.\n")); + ret = ENOMEM; + goto done; + } + + filter = talloc_asprintf(state, "(&(%s=%s)(%s=%s))", + AD_AT_DNS_DOMAIN, state->dom_name, + AD_AT_NT_VERSION, ntver); + if (filter == NULL) { + DEBUG(SSSDBG_OP_FAILURE, ("talloc_asprintf failed.\n")); + ret = ENOMEM; + goto done; + } + + subreq = sdap_get_generic_send(state, state->ev, + state->id_ctx->opts, + sdap_id_op_handle(state->id_op), + "", LDAP_SCOPE_BASE, filter, attrs, NULL, 0, + dp_opt_get_int(state->opts->basic, + SDAP_SEARCH_TIMEOUT), + false); + if (subreq == NULL) { + DEBUG(SSSDBG_OP_FAILURE, ("sdap_get_generic_send failed.\n")); + ret = ENOMEM; + goto done; + } + + tevent_req_set_callback(subreq, ad_master_domain_netlogon_done, req); + return; + +done: + tevent_req_error(req, ret); +} + +static void +ad_master_domain_netlogon_done(struct tevent_req *subreq) +{ + int ret; + size_t reply_count; + struct sysdb_attrs **reply = NULL; + struct ldb_message_element *el; + DATA_BLOB blob; + enum ndr_err_code ndr_err; + struct ndr_pull *ndr_pull = NULL; + struct netlogon_samlogon_response response; + + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct ad_master_domain_state *state = + tevent_req_data(req, struct ad_master_domain_state); + + ret = sdap_get_generic_recv(subreq, state, &reply_count, &reply); + talloc_zfree(subreq); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, ("sdap_get_generic_send request failed.\n")); + goto done; + } + + if (reply_count == 0) { + DEBUG(SSSDBG_TRACE_FUNC, ("No netlogon data available.\n")); + ret = ENOENT; + goto done; + } else if (reply_count > 1) { + DEBUG(SSSDBG_OP_FAILURE, + ("More than one netlogon info returned.\n")); + ret = EINVAL; + goto done; + } + + ret = sysdb_attrs_get_el(reply[0], AD_AT_NETLOGON, &el); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, ("sysdb_attrs_get_el() failed\n")); + goto done; + } + + if (el->num_values == 0) { + DEBUG(SSSDBG_OP_FAILURE, ("netlogon has no value\n")); + ret = ENOENT; + goto done; + } else if (el->num_values > 1) { + DEBUG(SSSDBG_OP_FAILURE, ("More than one netlogon value?\n")); + ret = EIO; + goto done; + } + + blob.data = el->values[0].data; + blob.length = el->values[0].length; + + ndr_pull = ndr_pull_init_blob(&blob, state); + if (ndr_pull == NULL) { + DEBUG(SSSDBG_OP_FAILURE, ("ndr_pull_init_blob() failed.\n")); + ret = ENOMEM; + goto done; + } + + ndr_err = ndr_pull_netlogon_samlogon_response(ndr_pull, NDR_SCALARS, + &response); + if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { + DEBUG(SSSDBG_OP_FAILURE, ("ndr_pull_netlogon_samlogon_response() " + "failed [%d]\n", ndr_err)); + ret = EBADMSG; + goto done; + } + + if (!(response.ntver & NETLOGON_NT_VERSION_5EX)) { + DEBUG(SSSDBG_OP_FAILURE, ("Wrong version returned [%x]\n", + response.ntver)); + ret = EBADMSG; + goto done; + } + + if (response.data.nt5_ex.domain_name != NULL && + *response.data.nt5_ex.domain_name != '\0') { + state->flat = talloc_strdup(state, response.data.nt5_ex.domain_name); + if (state->flat == NULL) { + DEBUG(SSSDBG_OP_FAILURE, ("talloc_strdup failed.\n")); + ret = ENOMEM; + goto done; + } + } + + DEBUG(SSSDBG_TRACE_FUNC, ("Found flat name [%s].\n", state->flat)); + tevent_req_done(req); + return; + +done: + tevent_req_error(req, ret); +} + +errno_t +ad_master_domain_recv(struct tevent_req *req, + TALLOC_CTX *mem_ctx, + char **_flat, + char **_id) +{ + struct ad_master_domain_state *state = tevent_req_data(req, + struct ad_master_domain_state); + + TEVENT_REQ_RETURN_ON_ERROR(req); + + if (_flat) { + *_flat = talloc_steal(mem_ctx, state->flat); + } + + if (_id) { + *_id = talloc_steal(mem_ctx, state->sid); + } + + return EOK; +} diff --git a/src/providers/ad/ad_domain_info.h b/src/providers/ad/ad_domain_info.h new file mode 100644 index 00000000..d2170639 --- /dev/null +++ b/src/providers/ad/ad_domain_info.h @@ -0,0 +1,41 @@ +/* + SSSD + + AD Master Domain Module + + Authors: + Sumit Bose <sbose@redhat.com> + + Copyright (C) 2013 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +#ifndef _AD_MASTER_DOMAIN_H_ +#define _AD_MASTER_DOMAIN_H_ + +struct tevent_req * +ad_master_domain_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct sdap_id_conn_ctx *conn, + struct sdap_id_op *op, + const char *dom_name); + +errno_t +ad_master_domain_recv(struct tevent_req *req, + TALLOC_CTX *mem_ctx, + char **_flat, + char **_id); + +#endif /* _AD_MASTER_DOMAIN_H_ */ diff --git a/src/providers/ad/ad_init.c b/src/providers/ad/ad_init.c index f181afe6..99288195 100644 --- a/src/providers/ad/ad_init.c +++ b/src/providers/ad/ad_init.c @@ -40,6 +40,7 @@ #include "providers/ad/ad_srv.h" #include "providers/dp_dyndns.h" #include "providers/ad/ad_subdomains.h" +#include "providers/ad/ad_domain_info.h" struct ad_options *ad_options = NULL; @@ -214,7 +215,6 @@ sssm_ad_id_init(struct be_ctx *bectx, &ad_ctx->sdap_id_ctx->opts->idmap_ctx); if (ret != EOK) goto done; - ret = setup_tls_config(ad_ctx->sdap_id_ctx->opts->basic); if (ret != EOK) { DEBUG(SSSDBG_CRIT_FAILURE, diff --git a/src/providers/ad/ad_subdomains.c b/src/providers/ad/ad_subdomains.c index 87685088..f15a0138 100644 --- a/src/providers/ad/ad_subdomains.c +++ b/src/providers/ad/ad_subdomains.c @@ -24,6 +24,7 @@ #include "providers/ldap/sdap_async.h" #include "providers/ad/ad_subdomains.h" +#include "providers/ad/ad_domain_info.h" #include "util/util_sss_idmap.h" #include <ctype.h> #include <ndr.h> @@ -264,9 +265,7 @@ done: } static void ad_subdomains_get_conn_done(struct tevent_req *req); -static errno_t ad_subdomains_get_master_sid(struct ad_subdomains_req_ctx *ctx); -static void ad_subdomains_get_master_sid_done(struct tevent_req *req); -static void ad_subdomains_get_netlogon_done(struct tevent_req *req); +static void ad_subdomains_master_dom_done(struct tevent_req *req); static errno_t ad_subdomains_get_slave(struct ad_subdomains_req_ctx *ctx); static void ad_subdomains_retrieve(struct ad_subdomains_ctx *ctx, @@ -341,236 +340,46 @@ static void ad_subdomains_get_conn_done(struct tevent_req *req) goto fail; } - ret = ad_subdomains_get_master_sid(ctx); - if (ret == EAGAIN) { - return; - } else if (ret != EOK) { - goto fail; - } - - DEBUG(SSSDBG_OP_FAILURE, ("No search base available.\n")); - ret = EINVAL; - -fail: - be_req_terminate(ctx->be_req, dp_error, ret, NULL); -} - -static errno_t ad_subdomains_get_master_sid(struct ad_subdomains_req_ctx *ctx) -{ - struct tevent_req *req; - struct sdap_search_base *base; - const char *master_sid_attrs[] = {AD_AT_OBJECT_SID, NULL}; - - - base = ctx->sd_ctx->sdom->search_bases[ctx->base_iter]; - if (base == NULL) { - return EOK; - } - - req = sdap_get_generic_send(ctx, ctx->sd_ctx->be_ctx->ev, - ctx->sd_ctx->sdap_id_ctx->opts, - sdap_id_op_handle(ctx->sdap_op), - base->basedn, LDAP_SCOPE_BASE, - MASTER_DOMAIN_SID_FILTER, master_sid_attrs, - NULL, 0, - dp_opt_get_int(ctx->sd_ctx->sdap_id_ctx->opts->basic, - SDAP_SEARCH_TIMEOUT), - false); - - if (req == NULL) { - DEBUG(SSSDBG_OP_FAILURE, ("sdap_get_generic_send failed.\n")); - return ENOMEM; - } - - tevent_req_set_callback(req, ad_subdomains_get_master_sid_done, ctx); - - return EAGAIN; -} - -static void ad_subdomains_get_master_sid_done(struct tevent_req *req) -{ - int ret; - size_t reply_count; - struct sysdb_attrs **reply = NULL; - struct ad_subdomains_req_ctx *ctx; - struct ldb_message_element *el; - char *sid_str; - enum idmap_error_code err; - static const char *attrs[] = {AD_AT_NETLOGON, NULL}; - char *filter; - char *ntver; - - ctx = tevent_req_callback_data(req, struct ad_subdomains_req_ctx); - - ret = sdap_get_generic_recv(req, ctx, &reply_count, &reply); - talloc_zfree(req); - if (ret != EOK) { - DEBUG(SSSDBG_OP_FAILURE, ("sdap_get_generic_send request failed.\n")); - goto done; - } - - if (reply_count == 0) { - ctx->base_iter++; - ret = ad_subdomains_get_master_sid(ctx); - if (ret == EAGAIN) { - return; - } else if (ret != EOK) { - goto done; - } - } else if (reply_count == 1) { - ret = sysdb_attrs_get_el(reply[0], AD_AT_OBJECT_SID, &el); - if (ret != EOK || el->num_values != 1) { - DEBUG(SSSDBG_OP_FAILURE, ("sdap_attrs_get_el failed.\n")); - goto done; - } - - err = sss_idmap_bin_sid_to_sid(ctx->sd_ctx->idmap_ctx, - el->values[0].data, - el->values[0].length, - &sid_str); - if (err != IDMAP_SUCCESS) { - DEBUG(SSSDBG_MINOR_FAILURE, - ("Could not convert SID: [%s].\n", idmap_error_string(err))); - ret = EFAULT; - goto done; - } - - ctx->master_sid = talloc_steal(ctx, sid_str); - } else { - DEBUG(SSSDBG_OP_FAILURE, - ("More than one result for domain SID found.\n")); - ret = EINVAL; - goto done; - } - - DEBUG(SSSDBG_TRACE_FUNC, ("Found SID [%s].\n", ctx->master_sid)); - - ntver = sss_ldap_encode_ndr_uint32(ctx, NETLOGON_NT_VERSION_5EX | - NETLOGON_NT_VERSION_WITH_CLOSEST_SITE); - if (ntver == NULL) { - DEBUG(SSSDBG_OP_FAILURE, ("sss_ldap_encode_ndr_uint32 failed.\n")); - ret = ENOMEM; - goto done; - } - - filter = talloc_asprintf(ctx, "(&(%s=%s)(%s=%s))", - AD_AT_DNS_DOMAIN, ctx->sd_ctx->domain_name, - AD_AT_NT_VERSION, ntver); - if (filter == NULL) { - DEBUG(SSSDBG_OP_FAILURE, ("talloc_asprintf failed.\n")); - ret = ENOMEM; - goto done; - } - - req = sdap_get_generic_send(ctx, ctx->sd_ctx->be_ctx->ev, - ctx->sd_ctx->sdap_id_ctx->opts, - sdap_id_op_handle(ctx->sdap_op), - "", LDAP_SCOPE_BASE, filter, attrs, NULL, 0, - dp_opt_get_int(ctx->sd_ctx->sdap_id_ctx->opts->basic, - SDAP_SEARCH_TIMEOUT), - false); + req = ad_master_domain_send(ctx, ctx->sd_ctx->be_ctx->ev, + ctx->sd_ctx->ldap_ctx, + ctx->sdap_op, + ctx->sd_ctx->domain_name); if (req == NULL) { - DEBUG(SSSDBG_OP_FAILURE, ("sdap_get_generic_send failed.\n")); + DEBUG(SSSDBG_OP_FAILURE, ("ad_master_domain_send failed.\n")); ret = ENOMEM; - goto done; + goto fail; } - - tevent_req_set_callback(req, ad_subdomains_get_netlogon_done, ctx); + tevent_req_set_callback(req, ad_subdomains_master_dom_done, ctx); return; -done: - be_req_terminate(ctx->be_req, DP_ERR_FATAL, ret, NULL); +fail: + be_req_terminate(ctx->be_req, dp_error, ret, NULL); } -static void ad_subdomains_get_netlogon_done(struct tevent_req *req) +static void ad_subdomains_master_dom_done(struct tevent_req *req) { - int ret; - size_t reply_count; - struct sysdb_attrs **reply = NULL; struct ad_subdomains_req_ctx *ctx; - struct ldb_message_element *el; - DATA_BLOB blob; - enum ndr_err_code ndr_err; - struct ndr_pull *ndr_pull = NULL; - struct netlogon_samlogon_response response; - int dp_error = DP_ERR_FATAL; + errno_t ret; ctx = tevent_req_callback_data(req, struct ad_subdomains_req_ctx); - ret = sdap_get_generic_recv(req, ctx, &reply_count, &reply); + ret = ad_master_domain_recv(req, ctx, + &ctx->flat_name, &ctx->master_sid); talloc_zfree(req); if (ret != EOK) { - DEBUG(SSSDBG_OP_FAILURE, ("sdap_get_generic_send request failed.\n")); - goto done; - } - - if (reply_count == 0) { - DEBUG(SSSDBG_TRACE_FUNC, ("No netlogon data available.\n")); - ret = ENOENT; - goto done; - } else if (reply_count > 1) { - DEBUG(SSSDBG_OP_FAILURE, - ("More than one netlogon info returned.\n")); - ret = EINVAL; - goto done; - } - - ret = sysdb_attrs_get_el(reply[0], AD_AT_NETLOGON, &el); - if (ret != EOK) { - DEBUG(SSSDBG_OP_FAILURE, ("sysdb_attrs_get_el() failed\n")); - goto done; - } - - if (el->num_values == 0) { - DEBUG(SSSDBG_OP_FAILURE, ("netlogon has no value\n")); - ret = ENOENT; - goto done; - } else if (el->num_values > 1) { - DEBUG(SSSDBG_OP_FAILURE, ("More than one netlogon value?\n")); - ret = EIO; - goto done; - } - - blob.data = el->values[0].data; - blob.length = el->values[0].length; - - ndr_pull = ndr_pull_init_blob(&blob, ctx); - if (ndr_pull == NULL) { - DEBUG(SSSDBG_OP_FAILURE, ("ndr_pull_init_blob() failed.\n")); - ret = ENOMEM; + DEBUG(SSSDBG_OP_FAILURE, ("Cannot retrieve master domain info\n")); goto done; } - ndr_err = ndr_pull_netlogon_samlogon_response(ndr_pull, NDR_SCALARS, - &response); - if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { - DEBUG(SSSDBG_OP_FAILURE, ("ndr_pull_netlogon_samlogon_response() " - "failed [%d]\n", ndr_err)); - ret = EBADMSG; - goto done; - } - - if (!(response.ntver & NETLOGON_NT_VERSION_5EX)) { - DEBUG(SSSDBG_OP_FAILURE, ("Wrong version returned [%x]\n", - response.ntver)); - ret = EBADMSG; - goto done; - } - - if (response.data.nt5_ex.domain_name != NULL && - *response.data.nt5_ex.domain_name != '\0') { - ctx->flat_name = talloc_strdup(ctx, response.data.nt5_ex.domain_name); - if (ctx->flat_name == NULL) { - DEBUG(SSSDBG_OP_FAILURE, ("talloc_strdup failed.\n")); - ret = ENOMEM; - goto done; - } - } - DEBUG(SSSDBG_TRACE_FUNC, ("Found flat name [%s].\n", ctx->flat_name)); + DEBUG(SSSDBG_TRACE_FUNC, ("Found master SID [%s].\n", ctx->master_sid)); ret = sysdb_master_domain_add_info(ctx->sd_ctx->be_ctx->domain, ctx->flat_name, ctx->master_sid); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, ("Cannot save master domain info\n")); + goto done; + } ret = ad_subdomains_get_slave(ctx); if (ret == EAGAIN) { @@ -580,7 +389,7 @@ static void ad_subdomains_get_netlogon_done(struct tevent_req *req) } done: - be_req_terminate(ctx->be_req, dp_error, ret, NULL); + be_req_terminate(ctx->be_req, DP_ERR_FATAL, ret, NULL); } static void ad_subdomains_get_slave_domain_done(struct tevent_req *req); |