Line data Source code
1 : /*
2 : Unix SMB/CIFS implementation.
3 : ads (active directory) utility library
4 : Copyright (C) Andrew Tridgell 2001
5 : Copyright (C) Remus Koos 2001
6 : Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2002
7 : Copyright (C) Guenther Deschner 2005
8 : Copyright (C) Gerald Carter 2006
9 :
10 : This program is free software; you can redistribute it and/or modify
11 : it under the terms of the GNU General Public License as published by
12 : the Free Software Foundation; either version 3 of the License, or
13 : (at your option) any later version.
14 :
15 : This program is distributed in the hope that it will be useful,
16 : but WITHOUT ANY WARRANTY; without even the implied warranty of
17 : MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 : GNU General Public License for more details.
19 :
20 : You should have received a copy of the GNU General Public License
21 : along with this program. If not, see <http://www.gnu.org/licenses/>.
22 : */
23 :
24 : #include "includes.h"
25 : #include "ads.h"
26 : #include "libads/sitename_cache.h"
27 : #include "libads/cldap.h"
28 : #include "../lib/tsocket/tsocket.h"
29 : #include "../lib/addns/dnsquery.h"
30 : #include "../libds/common/flags.h"
31 : #include "smbldap.h"
32 : #include "../libcli/security/security.h"
33 : #include "../librpc/gen_ndr/netlogon.h"
34 : #include "lib/param/loadparm.h"
35 : #include "libsmb/namequery.h"
36 : #include "../librpc/gen_ndr/ndr_ads.h"
37 :
38 : #ifdef HAVE_LDAP
39 :
40 : /**
41 : * @file ldap.c
42 : * @brief basic ldap client-side routines for ads server communications
43 : *
44 : * The routines contained here should do the necessary ldap calls for
45 : * ads setups.
46 : *
47 : * Important note: attribute names passed into ads_ routines must
48 : * already be in UTF-8 format. We do not convert them because in almost
49 : * all cases, they are just ascii (which is represented with the same
50 : * codepoints in UTF-8). This may have to change at some point
51 : **/
52 :
53 :
54 : #define LDAP_SERVER_TREE_DELETE_OID "1.2.840.113556.1.4.805"
55 :
56 : static SIG_ATOMIC_T gotalarm;
57 :
58 : /***************************************************************
59 : Signal function to tell us we timed out.
60 : ****************************************************************/
61 :
62 0 : static void gotalarm_sig(int signum)
63 : {
64 0 : gotalarm = 1;
65 0 : }
66 :
67 89 : LDAP *ldap_open_with_timeout(const char *server,
68 : struct sockaddr_storage *ss,
69 : int port, unsigned int to)
70 : {
71 89 : LDAP *ldp = NULL;
72 : int ldap_err;
73 : char *uri;
74 :
75 89 : DEBUG(10, ("Opening connection to LDAP server '%s:%d', timeout "
76 : "%u seconds\n", server, port, to));
77 :
78 89 : if (to) {
79 : /* Setup timeout */
80 89 : gotalarm = 0;
81 89 : CatchSignal(SIGALRM, gotalarm_sig);
82 89 : alarm(to);
83 : /* End setup timeout. */
84 : }
85 :
86 89 : if ( strchr_m(server, ':') ) {
87 : /* IPv6 URI */
88 0 : uri = talloc_asprintf(talloc_tos(), "ldap://[%s]:%u", server, port);
89 : } else {
90 : /* IPv4 URI */
91 89 : uri = talloc_asprintf(talloc_tos(), "ldap://%s:%u", server, port);
92 : }
93 89 : if (uri == NULL) {
94 0 : return NULL;
95 : }
96 :
97 : #ifdef HAVE_LDAP_INIT_FD
98 : {
99 89 : int fd = -1;
100 89 : NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
101 89 : unsigned timeout_ms = 1000 * to;
102 :
103 89 : status = open_socket_out(ss, port, timeout_ms, &fd);
104 89 : if (!NT_STATUS_IS_OK(status)) {
105 0 : DEBUG(3, ("open_socket_out: failed to open socket\n"));
106 0 : return NULL;
107 : }
108 :
109 : /* define LDAP_PROTO_TCP from openldap.h if required */
110 : #ifndef LDAP_PROTO_TCP
111 : #define LDAP_PROTO_TCP 1
112 : #endif
113 89 : ldap_err = ldap_init_fd(fd, LDAP_PROTO_TCP, uri, &ldp);
114 : }
115 : #elif defined(HAVE_LDAP_INITIALIZE)
116 : ldap_err = ldap_initialize(&ldp, uri);
117 : #else
118 : ldp = ldap_open(server, port);
119 : if (ldp != NULL) {
120 : ldap_err = LDAP_SUCCESS;
121 : } else {
122 : ldap_err = LDAP_OTHER;
123 : }
124 : #endif
125 89 : if (ldap_err != LDAP_SUCCESS) {
126 0 : DEBUG(2,("Could not initialize connection for LDAP server '%s': %s\n",
127 : uri, ldap_err2string(ldap_err)));
128 : } else {
129 89 : DEBUG(10, ("Initialized connection for LDAP server '%s'\n", uri));
130 : }
131 :
132 89 : if (to) {
133 : /* Teardown timeout. */
134 89 : alarm(0);
135 89 : CatchSignal(SIGALRM, SIG_IGN);
136 : }
137 :
138 89 : return ldp;
139 : }
140 :
141 438 : static int ldap_search_with_timeout(LDAP *ld,
142 : LDAP_CONST char *base,
143 : int scope,
144 : LDAP_CONST char *filter,
145 : char **attrs,
146 : int attrsonly,
147 : LDAPControl **sctrls,
148 : LDAPControl **cctrls,
149 : int sizelimit,
150 : LDAPMessage **res )
151 : {
152 438 : int to = lp_ldap_timeout();
153 : struct timeval timeout;
154 438 : struct timeval *timeout_ptr = NULL;
155 : int result;
156 :
157 : /* Setup timeout for the ldap_search_ext_s call - local and remote. */
158 438 : gotalarm = 0;
159 :
160 438 : if (to) {
161 438 : timeout.tv_sec = to;
162 438 : timeout.tv_usec = 0;
163 438 : timeout_ptr = &timeout;
164 :
165 : /* Setup alarm timeout. */
166 438 : CatchSignal(SIGALRM, gotalarm_sig);
167 : /* Make the alarm time one second beyond
168 : the timout we're setting for the
169 : remote search timeout, to allow that
170 : to fire in preference. */
171 438 : alarm(to+1);
172 : /* End setup timeout. */
173 : }
174 :
175 :
176 438 : result = ldap_search_ext_s(ld, base, scope, filter, attrs,
177 : attrsonly, sctrls, cctrls, timeout_ptr,
178 : sizelimit, res);
179 :
180 438 : if (to) {
181 : /* Teardown alarm timeout. */
182 438 : CatchSignal(SIGALRM, SIG_IGN);
183 438 : alarm(0);
184 : }
185 :
186 438 : if (gotalarm != 0)
187 0 : return LDAP_TIMELIMIT_EXCEEDED;
188 :
189 : /*
190 : * A bug in OpenLDAP means ldap_search_ext_s can return
191 : * LDAP_SUCCESS but with a NULL res pointer. Cope with
192 : * this. See bug #6279 for details. JRA.
193 : */
194 :
195 438 : if (*res == NULL) {
196 0 : return LDAP_TIMELIMIT_EXCEEDED;
197 : }
198 :
199 438 : return result;
200 : }
201 :
202 : /**********************************************
203 : Do client and server sitename match ?
204 : **********************************************/
205 :
206 0 : bool ads_sitename_match(ADS_STRUCT *ads)
207 : {
208 0 : if (ads->config.server_site_name == NULL &&
209 0 : ads->config.client_site_name == NULL ) {
210 0 : DEBUG(10,("ads_sitename_match: both null\n"));
211 0 : return True;
212 : }
213 0 : if (ads->config.server_site_name &&
214 0 : ads->config.client_site_name &&
215 0 : strequal(ads->config.server_site_name,
216 : ads->config.client_site_name)) {
217 0 : DEBUG(10,("ads_sitename_match: name %s match\n", ads->config.server_site_name));
218 0 : return True;
219 : }
220 0 : DEBUG(10,("ads_sitename_match: no match between server: %s and client: %s\n",
221 : ads->config.server_site_name ? ads->config.server_site_name : "NULL",
222 : ads->config.client_site_name ? ads->config.client_site_name : "NULL"));
223 0 : return False;
224 : }
225 :
226 : /**********************************************
227 : Is this the closest DC ?
228 : **********************************************/
229 :
230 138 : bool ads_closest_dc(ADS_STRUCT *ads)
231 : {
232 138 : if (ads->config.flags & NBT_SERVER_CLOSEST) {
233 138 : DEBUG(10,("ads_closest_dc: NBT_SERVER_CLOSEST flag set\n"));
234 138 : return True;
235 : }
236 :
237 : /* not sure if this can ever happen */
238 0 : if (ads_sitename_match(ads)) {
239 0 : DEBUG(10,("ads_closest_dc: NBT_SERVER_CLOSEST flag not set but sites match\n"));
240 0 : return True;
241 : }
242 :
243 0 : if (ads->config.client_site_name == NULL) {
244 0 : DEBUG(10,("ads_closest_dc: client belongs to no site\n"));
245 0 : return True;
246 : }
247 :
248 0 : DEBUG(10,("ads_closest_dc: %s is not the closest DC\n",
249 : ads->config.ldap_server_name));
250 :
251 0 : return False;
252 : }
253 :
254 154 : static bool ads_fill_cldap_reply(ADS_STRUCT *ads,
255 : bool gc,
256 : const struct sockaddr_storage *ss,
257 : const struct NETLOGON_SAM_LOGON_RESPONSE_EX *cldap_reply)
258 : {
259 154 : TALLOC_CTX *frame = talloc_stackframe();
260 154 : bool ret = false;
261 : char addr[INET6_ADDRSTRLEN];
262 : ADS_STATUS status;
263 : char *dn;
264 :
265 154 : print_sockaddr(addr, sizeof(addr), ss);
266 :
267 : /* Check the CLDAP reply flags */
268 :
269 154 : if (!(cldap_reply->server_type & NBT_SERVER_LDAP)) {
270 0 : DBG_WARNING("%s's CLDAP reply says it is not an LDAP server!\n",
271 : addr);
272 0 : ret = false;
273 0 : goto out;
274 : }
275 :
276 : /* Fill in the ads->config values */
277 :
278 154 : ADS_TALLOC_CONST_FREE(ads->config.realm);
279 154 : ADS_TALLOC_CONST_FREE(ads->config.bind_path);
280 154 : ADS_TALLOC_CONST_FREE(ads->config.ldap_server_name);
281 154 : ADS_TALLOC_CONST_FREE(ads->config.server_site_name);
282 154 : ADS_TALLOC_CONST_FREE(ads->config.client_site_name);
283 154 : ADS_TALLOC_CONST_FREE(ads->server.workgroup);
284 :
285 154 : if (!check_cldap_reply_required_flags(cldap_reply->server_type,
286 : ads->config.flags)) {
287 0 : ret = false;
288 0 : goto out;
289 : }
290 :
291 308 : ads->config.ldap_server_name = talloc_strdup(ads,
292 154 : cldap_reply->pdc_dns_name);
293 154 : if (ads->config.ldap_server_name == NULL) {
294 0 : DBG_WARNING("Out of memory\n");
295 0 : ret = false;
296 0 : goto out;
297 : }
298 :
299 308 : ads->config.realm = talloc_asprintf_strupper_m(ads,
300 : "%s",
301 154 : cldap_reply->dns_domain);
302 154 : if (ads->config.realm == NULL) {
303 0 : DBG_WARNING("Out of memory\n");
304 0 : ret = false;
305 0 : goto out;
306 : }
307 :
308 154 : status = ads_build_dn(ads->config.realm, ads, &dn);
309 154 : if (!ADS_ERR_OK(status)) {
310 0 : DBG_DEBUG("Failed to build bind path: %s\n",
311 : ads_errstr(status));
312 0 : ret = false;
313 0 : goto out;
314 : }
315 154 : ads->config.bind_path = dn;
316 :
317 154 : if (*cldap_reply->server_site) {
318 154 : ads->config.server_site_name =
319 154 : talloc_strdup(ads, cldap_reply->server_site);
320 154 : if (ads->config.server_site_name == NULL) {
321 0 : DBG_WARNING("Out of memory\n");
322 0 : ret = false;
323 0 : goto out;
324 : }
325 : }
326 :
327 154 : if (*cldap_reply->client_site) {
328 154 : ads->config.client_site_name =
329 154 : talloc_strdup(ads, cldap_reply->client_site);
330 154 : if (ads->config.client_site_name == NULL) {
331 0 : DBG_WARNING("Out of memory\n");
332 0 : ret = false;
333 0 : goto out;
334 : }
335 : }
336 :
337 154 : ads->server.workgroup = talloc_strdup(ads, cldap_reply->domain_name);
338 154 : if (ads->server.workgroup == NULL) {
339 0 : DBG_WARNING("Out of memory\n");
340 0 : ret = false;
341 0 : goto out;
342 : }
343 :
344 154 : ads->ldap.port = gc ? LDAP_GC_PORT : LDAP_PORT;
345 154 : ads->ldap.ss = *ss;
346 :
347 : /* Store our site name. */
348 154 : sitename_store(cldap_reply->domain_name, cldap_reply->client_site);
349 154 : sitename_store(cldap_reply->dns_domain, cldap_reply->client_site);
350 :
351 : /* Leave this until last so that the flags are not clobbered */
352 154 : ads->config.flags = cldap_reply->server_type;
353 :
354 154 : ret = true;
355 :
356 154 : out:
357 :
358 154 : TALLOC_FREE(frame);
359 154 : return ret;
360 : }
361 :
362 : /*
363 : try a connection to a given ldap server, returning True and setting the servers IP
364 : in the ads struct if successful
365 : */
366 93 : static bool ads_try_connect(ADS_STRUCT *ads, bool gc,
367 : struct sockaddr_storage *ss)
368 : {
369 93 : struct NETLOGON_SAM_LOGON_RESPONSE_EX cldap_reply = {};
370 93 : TALLOC_CTX *frame = talloc_stackframe();
371 : bool ok;
372 93 : char addr[INET6_ADDRSTRLEN] = { 0, };
373 :
374 93 : if (ss == NULL) {
375 0 : TALLOC_FREE(frame);
376 0 : return false;
377 : }
378 :
379 93 : print_sockaddr(addr, sizeof(addr), ss);
380 :
381 93 : DBG_INFO("ads_try_connect: sending CLDAP request to %s (realm: %s)\n",
382 : addr, ads->server.realm);
383 :
384 93 : ok = ads_cldap_netlogon_5(frame, ss, ads->server.realm, &cldap_reply);
385 93 : if (!ok) {
386 0 : DBG_NOTICE("ads_cldap_netlogon_5(%s, %s) failed.\n",
387 : addr, ads->server.realm);
388 0 : TALLOC_FREE(frame);
389 0 : return false;
390 : }
391 :
392 93 : ok = ads_fill_cldap_reply(ads, gc, ss, &cldap_reply);
393 93 : if (!ok) {
394 0 : DBG_NOTICE("ads_fill_cldap_reply(%s, %s) failed.\n",
395 : addr, ads->server.realm);
396 0 : TALLOC_FREE(frame);
397 0 : return false;
398 : }
399 :
400 93 : TALLOC_FREE(frame);
401 93 : return true;
402 : }
403 :
404 : /**********************************************************************
405 : send a cldap ping to list of servers, one at a time, until one of
406 : them answers it's an ldap server. Record success in the ADS_STRUCT.
407 : Take note of and update negative connection cache.
408 : **********************************************************************/
409 :
410 61 : static NTSTATUS cldap_ping_list(ADS_STRUCT *ads,
411 : const char *domain,
412 : struct samba_sockaddr *sa_list,
413 : size_t count)
414 : {
415 61 : TALLOC_CTX *frame = talloc_stackframe();
416 61 : struct timeval endtime = timeval_current_ofs(MAX(3,lp_ldap_timeout()/2), 0);
417 61 : uint32_t nt_version = NETLOGON_NT_VERSION_5 | NETLOGON_NT_VERSION_5EX;
418 61 : struct tsocket_address **ts_list = NULL;
419 61 : const struct tsocket_address * const *ts_list_const = NULL;
420 61 : struct samba_sockaddr **req_sa_list = NULL;
421 61 : struct netlogon_samlogon_response **responses = NULL;
422 61 : size_t num_requests = 0;
423 : NTSTATUS status;
424 : size_t i;
425 61 : bool ok = false;
426 : bool retry;
427 :
428 61 : ts_list = talloc_zero_array(frame,
429 : struct tsocket_address *,
430 : count);
431 61 : if (ts_list == NULL) {
432 0 : TALLOC_FREE(frame);
433 0 : return NT_STATUS_NO_MEMORY;
434 : }
435 :
436 61 : req_sa_list = talloc_zero_array(frame,
437 : struct samba_sockaddr *,
438 : count);
439 61 : if (req_sa_list == NULL) {
440 0 : TALLOC_FREE(frame);
441 0 : return NT_STATUS_NO_MEMORY;
442 : }
443 :
444 61 : again:
445 : /*
446 : * The retry loop is bound by the timeout
447 : */
448 61 : retry = false;
449 61 : num_requests = 0;
450 :
451 139 : for (i = 0; i < count; i++) {
452 : char server[INET6_ADDRSTRLEN];
453 : int ret;
454 :
455 78 : if (is_zero_addr(&sa_list[i].u.ss)) {
456 0 : continue;
457 : }
458 :
459 78 : print_sockaddr(server, sizeof(server), &sa_list[i].u.ss);
460 :
461 78 : status = check_negative_conn_cache(domain, server);
462 78 : if (!NT_STATUS_IS_OK(status)) {
463 0 : continue;
464 : }
465 :
466 78 : ret = tsocket_address_inet_from_strings(ts_list, "ip",
467 : server, LDAP_PORT,
468 : &ts_list[num_requests]);
469 78 : if (ret != 0) {
470 0 : status = map_nt_error_from_unix(errno);
471 0 : DBG_WARNING("Failed to create tsocket_address for %s - %s\n",
472 : server, nt_errstr(status));
473 0 : TALLOC_FREE(frame);
474 0 : return status;
475 : }
476 :
477 78 : req_sa_list[num_requests] = &sa_list[i];
478 78 : num_requests += 1;
479 : }
480 :
481 61 : if (num_requests == 0) {
482 0 : status = NT_STATUS_NO_LOGON_SERVERS;
483 0 : DBG_WARNING("domain[%s] num_requests[%zu] for count[%zu] - %s\n",
484 : domain, num_requests, count, nt_errstr(status));
485 0 : TALLOC_FREE(frame);
486 0 : return status;
487 : }
488 :
489 61 : ts_list_const = (const struct tsocket_address * const *)ts_list;
490 :
491 61 : status = cldap_multi_netlogon(frame,
492 : ts_list_const, num_requests,
493 : ads->server.realm, NULL,
494 : nt_version,
495 : 1, endtime, &responses);
496 61 : if (!NT_STATUS_IS_OK(status)) {
497 0 : DBG_WARNING("cldap_multi_netlogon(realm=%s, num_requests=%zu) "
498 : "for count[%zu] - %s\n",
499 : ads->server.realm,
500 : num_requests, count,
501 : nt_errstr(status));
502 0 : TALLOC_FREE(frame);
503 0 : return NT_STATUS_NO_LOGON_SERVERS;
504 : }
505 :
506 61 : for (i = 0; i < num_requests; i++) {
507 61 : struct NETLOGON_SAM_LOGON_RESPONSE_EX *cldap_reply = NULL;
508 : char server[INET6_ADDRSTRLEN];
509 :
510 61 : if (responses[i] == NULL) {
511 0 : continue;
512 : }
513 :
514 61 : print_sockaddr(server, sizeof(server), &req_sa_list[i]->u.ss);
515 :
516 61 : if (responses[i]->ntver != NETLOGON_NT_VERSION_5EX) {
517 0 : DBG_NOTICE("realm=[%s] nt_version mismatch: 0x%08x for %s\n",
518 : ads->server.realm,
519 : responses[i]->ntver, server);
520 0 : continue;
521 : }
522 :
523 61 : cldap_reply = &responses[i]->data.nt5_ex;
524 :
525 : /* Returns ok only if it matches the correct server type */
526 61 : ok = ads_fill_cldap_reply(ads,
527 : false,
528 61 : &req_sa_list[i]->u.ss,
529 : cldap_reply);
530 61 : if (ok) {
531 61 : DBG_DEBUG("realm[%s]: selected %s => %s\n",
532 : ads->server.realm,
533 : server, cldap_reply->pdc_dns_name);
534 61 : if (CHECK_DEBUGLVL(DBGLVL_DEBUG)) {
535 1 : NDR_PRINT_DEBUG(NETLOGON_SAM_LOGON_RESPONSE_EX,
536 : cldap_reply);
537 : }
538 61 : TALLOC_FREE(frame);
539 61 : return NT_STATUS_OK;
540 : }
541 :
542 0 : DBG_NOTICE("realm[%s] server %s %s - not usable\n",
543 : ads->server.realm,
544 : server, cldap_reply->pdc_dns_name);
545 0 : if (CHECK_DEBUGLVL(DBGLVL_NOTICE)) {
546 0 : NDR_PRINT_DEBUG(NETLOGON_SAM_LOGON_RESPONSE_EX,
547 : cldap_reply);
548 : }
549 0 : add_failed_connection_entry(domain, server,
550 0 : NT_STATUS_CLIENT_SERVER_PARAMETERS_INVALID);
551 0 : retry = true;
552 : }
553 :
554 0 : if (retry) {
555 : bool expired;
556 :
557 0 : expired = timeval_expired(&endtime);
558 0 : if (!expired) {
559 0 : goto again;
560 : }
561 : }
562 :
563 : /* keep track of failures as all were not suitable */
564 0 : for (i = 0; i < num_requests; i++) {
565 : char server[INET6_ADDRSTRLEN];
566 :
567 0 : print_sockaddr(server, sizeof(server), &req_sa_list[i]->u.ss);
568 :
569 0 : add_failed_connection_entry(domain, server,
570 0 : NT_STATUS_UNSUCCESSFUL);
571 : }
572 :
573 0 : status = NT_STATUS_NO_LOGON_SERVERS;
574 0 : DBG_WARNING("realm[%s] no valid response "
575 : "num_requests[%zu] for count[%zu] - %s\n",
576 : ads->server.realm,
577 : num_requests, count, nt_errstr(status));
578 0 : TALLOC_FREE(frame);
579 0 : return NT_STATUS_NO_LOGON_SERVERS;
580 : }
581 :
582 : /***************************************************************************
583 : resolve a name and perform an "ldap ping" using NetBIOS and related methods
584 : ****************************************************************************/
585 :
586 6 : static NTSTATUS resolve_and_ping_netbios(ADS_STRUCT *ads,
587 : const char *domain, const char *realm)
588 : {
589 : size_t i;
590 6 : size_t count = 0;
591 6 : struct samba_sockaddr *sa_list = NULL;
592 : NTSTATUS status;
593 :
594 6 : DEBUG(6, ("resolve_and_ping_netbios: (cldap) looking for domain '%s'\n",
595 : domain));
596 :
597 6 : status = get_sorted_dc_list(talloc_tos(),
598 : domain,
599 : NULL,
600 : &sa_list,
601 : &count,
602 : false);
603 6 : if (!NT_STATUS_IS_OK(status)) {
604 0 : return status;
605 : }
606 :
607 : /* remove servers which are known to be dead based on
608 : the corresponding DNS method */
609 6 : if (*realm) {
610 0 : for (i = 0; i < count; ++i) {
611 : char server[INET6_ADDRSTRLEN];
612 :
613 0 : print_sockaddr(server, sizeof(server), &sa_list[i].u.ss);
614 :
615 0 : if(!NT_STATUS_IS_OK(
616 : check_negative_conn_cache(realm, server))) {
617 : /* Ensure we add the workgroup name for this
618 : IP address as negative too. */
619 0 : add_failed_connection_entry(
620 : domain, server,
621 0 : NT_STATUS_UNSUCCESSFUL);
622 : }
623 : }
624 : }
625 :
626 6 : status = cldap_ping_list(ads, domain, sa_list, count);
627 :
628 6 : TALLOC_FREE(sa_list);
629 :
630 6 : return status;
631 : }
632 :
633 :
634 : /**********************************************************************
635 : resolve a name and perform an "ldap ping" using DNS
636 : **********************************************************************/
637 :
638 55 : static NTSTATUS resolve_and_ping_dns(ADS_STRUCT *ads, const char *sitename,
639 : const char *realm)
640 : {
641 55 : size_t count = 0;
642 55 : struct samba_sockaddr *sa_list = NULL;
643 : NTSTATUS status;
644 :
645 55 : DEBUG(6, ("resolve_and_ping_dns: (cldap) looking for realm '%s'\n",
646 : realm));
647 :
648 55 : status = get_sorted_dc_list(talloc_tos(),
649 : realm,
650 : sitename,
651 : &sa_list,
652 : &count,
653 : true);
654 55 : if (!NT_STATUS_IS_OK(status)) {
655 0 : TALLOC_FREE(sa_list);
656 0 : return status;
657 : }
658 :
659 55 : status = cldap_ping_list(ads, realm, sa_list, count);
660 :
661 55 : TALLOC_FREE(sa_list);
662 :
663 55 : return status;
664 : }
665 :
666 : /**********************************************************************
667 : Try to find an AD dc using our internal name resolution routines
668 : Try the realm first and then then workgroup name if netbios is not
669 : disabled
670 : **********************************************************************/
671 :
672 85 : static NTSTATUS ads_find_dc(ADS_STRUCT *ads)
673 : {
674 85 : const char *c_domain = "";
675 : const char *c_realm;
676 85 : bool use_own_domain = False;
677 85 : char *sitename = NULL;
678 85 : NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
679 85 : bool ok = false;
680 :
681 : /* if the realm and workgroup are both empty, assume they are ours */
682 :
683 : /* realm */
684 85 : c_realm = ads->server.realm;
685 :
686 85 : if (c_realm == NULL)
687 6 : c_realm = "";
688 :
689 85 : if (!*c_realm) {
690 : /* special case where no realm and no workgroup means our own */
691 6 : if ( !ads->server.workgroup || !*ads->server.workgroup ) {
692 0 : use_own_domain = True;
693 0 : c_realm = lp_realm();
694 : }
695 : }
696 :
697 85 : if (!lp_disable_netbios()) {
698 85 : if (use_own_domain) {
699 0 : c_domain = lp_workgroup();
700 : } else {
701 85 : c_domain = ads->server.workgroup;
702 85 : if (!*c_realm && (!c_domain || !*c_domain)) {
703 0 : c_domain = lp_workgroup();
704 : }
705 : }
706 :
707 85 : if (!c_domain) {
708 0 : c_domain = "";
709 : }
710 : }
711 :
712 85 : if (!*c_realm && !*c_domain) {
713 0 : DEBUG(0, ("ads_find_dc: no realm or workgroup! Don't know "
714 : "what to do\n"));
715 0 : return NT_STATUS_INVALID_PARAMETER; /* rather need MISSING_PARAMETER ... */
716 : }
717 :
718 : /*
719 : * In case of LDAP we use get_dc_name() as that
720 : * creates the custom krb5.conf file
721 : */
722 85 : if (!(ads->auth.flags & ADS_AUTH_NO_BIND)) {
723 : fstring srv_name;
724 : struct sockaddr_storage ip_out;
725 :
726 24 : DEBUG(6, ("ads_find_dc: (ldap) looking for realm '%s'"
727 : " and falling back to domain '%s'\n",
728 : c_realm, c_domain));
729 :
730 24 : ok = get_dc_name(c_domain, c_realm, srv_name, &ip_out);
731 24 : if (ok) {
732 24 : if (is_zero_addr(&ip_out)) {
733 0 : return NT_STATUS_NO_LOGON_SERVERS;
734 : }
735 :
736 : /*
737 : * we call ads_try_connect() to fill in the
738 : * ads->config details
739 : */
740 24 : ok = ads_try_connect(ads, false, &ip_out);
741 24 : if (ok) {
742 24 : return NT_STATUS_OK;
743 : }
744 : }
745 :
746 0 : return NT_STATUS_NO_LOGON_SERVERS;
747 : }
748 :
749 61 : if (*c_realm) {
750 55 : sitename = sitename_fetch(talloc_tos(), c_realm);
751 55 : status = resolve_and_ping_dns(ads, sitename, c_realm);
752 :
753 55 : if (NT_STATUS_IS_OK(status)) {
754 55 : TALLOC_FREE(sitename);
755 55 : return status;
756 : }
757 :
758 : /* In case we failed to contact one of our closest DC on our
759 : * site we
760 : * need to try to find another DC, retry with a site-less SRV
761 : * DNS query
762 : * - Guenther */
763 :
764 0 : if (sitename) {
765 0 : DEBUG(3, ("ads_find_dc: failed to find a valid DC on "
766 : "our site (%s), Trying to find another DC "
767 : "for realm '%s' (domain '%s')\n",
768 : sitename, c_realm, c_domain));
769 0 : namecache_delete(c_realm, 0x1C);
770 : status =
771 0 : resolve_and_ping_dns(ads, NULL, c_realm);
772 :
773 0 : if (NT_STATUS_IS_OK(status)) {
774 0 : TALLOC_FREE(sitename);
775 0 : return status;
776 : }
777 : }
778 :
779 0 : TALLOC_FREE(sitename);
780 : }
781 :
782 : /* try netbios as fallback - if permitted,
783 : or if configuration specifically requests it */
784 6 : if (*c_domain) {
785 6 : if (*c_realm) {
786 0 : DEBUG(3, ("ads_find_dc: falling back to netbios "
787 : "name resolution for domain '%s' (realm '%s')\n",
788 : c_domain, c_realm));
789 : }
790 :
791 6 : status = resolve_and_ping_netbios(ads, c_domain, c_realm);
792 6 : if (NT_STATUS_IS_OK(status)) {
793 6 : return status;
794 : }
795 : }
796 :
797 0 : DEBUG(1, ("ads_find_dc: "
798 : "name resolution for realm '%s' (domain '%s') failed: %s\n",
799 : c_realm, c_domain, nt_errstr(status)));
800 0 : return status;
801 : }
802 : /**
803 : * Connect to the LDAP server
804 : * @param ads Pointer to an existing ADS_STRUCT
805 : * @return status of connection
806 : **/
807 154 : ADS_STATUS ads_connect(ADS_STRUCT *ads)
808 : {
809 154 : int version = LDAP_VERSION3;
810 : ADS_STATUS status;
811 : NTSTATUS ntstatus;
812 : char addr[INET6_ADDRSTRLEN];
813 : struct sockaddr_storage existing_ss;
814 :
815 154 : zero_sockaddr(&existing_ss);
816 :
817 : /*
818 : * ads_connect can be passed in a reused ADS_STRUCT
819 : * with an existing non-zero ads->ldap.ss IP address
820 : * that was stored by going through ads_find_dc()
821 : * if ads->server.ldap_server was NULL.
822 : *
823 : * If ads->server.ldap_server is still NULL but
824 : * the target address isn't the zero address, then
825 : * store that address off off before zeroing out
826 : * ads->ldap so we don't keep doing multiple calls
827 : * to ads_find_dc() in the reuse case.
828 : *
829 : * If a caller wants a clean ADS_STRUCT they
830 : * will TALLOC_FREE it and allocate a new one
831 : * by calling ads_init(), which ensures
832 : * ads->ldap.ss is a properly zero'ed out valid IP
833 : * address.
834 : */
835 154 : if (ads->server.ldap_server == NULL && !is_zero_addr(&ads->ldap.ss)) {
836 : /* Save off the address we previously found by ads_find_dc(). */
837 3 : existing_ss = ads->ldap.ss;
838 : }
839 :
840 154 : ads_zero_ldap(ads);
841 154 : ZERO_STRUCT(ads->ldap_wrap_data);
842 154 : ads->ldap.last_attempt = time_mono(NULL);
843 154 : ads->ldap_wrap_data.wrap_type = ADS_SASLWRAP_TYPE_PLAIN;
844 :
845 : /* try with a user specified server */
846 :
847 154 : if (DEBUGLEVEL >= 11) {
848 0 : char *s = NDR_PRINT_STRUCT_STRING(talloc_tos(), ads_struct, ads);
849 0 : DEBUG(11,("ads_connect: entering\n"));
850 0 : DEBUGADD(11,("%s\n", s));
851 0 : TALLOC_FREE(s);
852 : }
853 :
854 154 : if (ads->server.ldap_server) {
855 66 : bool ok = false;
856 : struct sockaddr_storage ss;
857 :
858 66 : ok = resolve_name(ads->server.ldap_server, &ss, 0x20, true);
859 66 : if (!ok) {
860 0 : DEBUG(5,("ads_connect: unable to resolve name %s\n",
861 : ads->server.ldap_server));
862 0 : status = ADS_ERROR_NT(NT_STATUS_NOT_FOUND);
863 0 : goto out;
864 : }
865 :
866 66 : if (is_zero_addr(&ss)) {
867 0 : status = ADS_ERROR_NT(NT_STATUS_NOT_FOUND);
868 0 : goto out;
869 : }
870 :
871 66 : ok = ads_try_connect(ads, ads->server.gc, &ss);
872 66 : if (ok) {
873 66 : goto got_connection;
874 : }
875 :
876 : /* The choice of which GC use is handled one level up in
877 : ads_connect_gc(). If we continue on from here with
878 : ads_find_dc() we will get GC searches on port 389 which
879 : doesn't work. --jerry */
880 :
881 0 : if (ads->server.gc == true) {
882 0 : return ADS_ERROR(LDAP_OPERATIONS_ERROR);
883 : }
884 :
885 0 : if (ads->server.no_fallback) {
886 0 : status = ADS_ERROR_NT(NT_STATUS_NOT_FOUND);
887 0 : goto out;
888 : }
889 : }
890 :
891 88 : if (!is_zero_addr(&existing_ss)) {
892 : /* We saved off who we should talk to. */
893 3 : bool ok = ads_try_connect(ads,
894 3 : ads->server.gc,
895 : &existing_ss);
896 3 : if (ok) {
897 3 : goto got_connection;
898 : }
899 : /*
900 : * Keep trying to find a server and fall through
901 : * into ads_find_dc() again.
902 : */
903 : }
904 :
905 85 : ntstatus = ads_find_dc(ads);
906 85 : if (NT_STATUS_IS_OK(ntstatus)) {
907 85 : goto got_connection;
908 : }
909 :
910 0 : status = ADS_ERROR_NT(ntstatus);
911 0 : goto out;
912 :
913 154 : got_connection:
914 :
915 154 : print_sockaddr(addr, sizeof(addr), &ads->ldap.ss);
916 154 : DEBUG(3,("Successfully contacted LDAP server %s\n", addr));
917 :
918 154 : if (!ads->auth.user_name) {
919 : /* Must use the userPrincipalName value here or sAMAccountName
920 : and not servicePrincipalName; found by Guenther Deschner */
921 63 : ads->auth.user_name = talloc_asprintf(ads,
922 : "%s$",
923 : lp_netbios_name());
924 63 : if (ads->auth.user_name == NULL) {
925 0 : DBG_ERR("talloc_asprintf failed\n");
926 0 : status = ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
927 0 : goto out;
928 : }
929 : }
930 :
931 154 : if (ads->auth.realm == NULL) {
932 85 : ads->auth.realm = talloc_strdup(ads, ads->config.realm);
933 85 : if (ads->auth.realm == NULL) {
934 0 : status = ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
935 0 : goto out;
936 : }
937 : }
938 :
939 154 : if (!ads->auth.kdc_server) {
940 151 : print_sockaddr(addr, sizeof(addr), &ads->ldap.ss);
941 151 : ads->auth.kdc_server = talloc_strdup(ads, addr);
942 151 : if (ads->auth.kdc_server == NULL) {
943 0 : status = ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
944 0 : goto out;
945 : }
946 : }
947 :
948 : /* If the caller() requested no LDAP bind, then we are done */
949 :
950 154 : if (ads->auth.flags & ADS_AUTH_NO_BIND) {
951 65 : status = ADS_SUCCESS;
952 65 : goto out;
953 : }
954 :
955 89 : ads->ldap_wrap_data.mem_ctx = talloc_init("ads LDAP connection memory");
956 89 : if (!ads->ldap_wrap_data.mem_ctx) {
957 0 : status = ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
958 0 : goto out;
959 : }
960 :
961 : /* Otherwise setup the TCP LDAP session */
962 :
963 89 : ads->ldap.ld = ldap_open_with_timeout(ads->config.ldap_server_name,
964 : &ads->ldap.ss,
965 89 : ads->ldap.port, lp_ldap_timeout());
966 89 : if (ads->ldap.ld == NULL) {
967 0 : status = ADS_ERROR(LDAP_OPERATIONS_ERROR);
968 0 : goto out;
969 : }
970 89 : DEBUG(3,("Connected to LDAP server %s\n", ads->config.ldap_server_name));
971 :
972 : /* cache the successful connection for workgroup and realm */
973 89 : if (ads_closest_dc(ads)) {
974 89 : saf_store( ads->server.workgroup, ads->config.ldap_server_name);
975 89 : saf_store( ads->server.realm, ads->config.ldap_server_name);
976 : }
977 :
978 89 : ldap_set_option(ads->ldap.ld, LDAP_OPT_PROTOCOL_VERSION, &version);
979 :
980 : /* fill in the current time and offsets */
981 :
982 89 : status = ads_current_time( ads );
983 89 : if ( !ADS_ERR_OK(status) ) {
984 0 : goto out;
985 : }
986 :
987 : /* Now do the bind */
988 :
989 89 : if (ads->auth.flags & ADS_AUTH_ANON_BIND) {
990 3 : status = ADS_ERROR(ldap_simple_bind_s(ads->ldap.ld, NULL, NULL));
991 3 : goto out;
992 : }
993 :
994 86 : if (ads->auth.flags & ADS_AUTH_SIMPLE_BIND) {
995 0 : status = ADS_ERROR(ldap_simple_bind_s(ads->ldap.ld, ads->auth.user_name, ads->auth.password));
996 0 : goto out;
997 : }
998 :
999 86 : status = ads_sasl_bind(ads);
1000 :
1001 154 : out:
1002 154 : if (DEBUGLEVEL >= 11) {
1003 0 : char *s = NDR_PRINT_STRUCT_STRING(talloc_tos(), ads_struct, ads);
1004 0 : DEBUG(11,("ads_connect: leaving with: %s\n",
1005 : ads_errstr(status)));
1006 0 : DEBUGADD(11,("%s\n", s));
1007 0 : TALLOC_FREE(s);
1008 : }
1009 :
1010 154 : return status;
1011 : }
1012 :
1013 : /**
1014 : * Connect to the LDAP server using given credentials
1015 : * @param ads Pointer to an existing ADS_STRUCT
1016 : * @return status of connection
1017 : **/
1018 48 : ADS_STATUS ads_connect_user_creds(ADS_STRUCT *ads)
1019 : {
1020 48 : ads->auth.flags |= ADS_AUTH_USER_CREDS;
1021 :
1022 48 : return ads_connect(ads);
1023 : }
1024 :
1025 : /**
1026 : * Zero out the internal ads->ldap struct and initialize the address to zero IP.
1027 : * @param ads Pointer to an existing ADS_STRUCT
1028 : *
1029 : * Sets the ads->ldap.ss to a valid
1030 : * zero ip address that can be detected by
1031 : * our is_zero_addr() function. Otherwise
1032 : * it is left as AF_UNSPEC (0).
1033 : **/
1034 504 : void ads_zero_ldap(ADS_STRUCT *ads)
1035 : {
1036 504 : ZERO_STRUCT(ads->ldap);
1037 : /*
1038 : * Initialize the sockaddr_storage so we can use
1039 : * sockaddr test functions against it.
1040 : */
1041 504 : zero_sockaddr(&ads->ldap.ss);
1042 504 : }
1043 :
1044 : /**
1045 : * Disconnect the LDAP server
1046 : * @param ads Pointer to an existing ADS_STRUCT
1047 : **/
1048 175 : void ads_disconnect(ADS_STRUCT *ads)
1049 : {
1050 175 : if (ads->ldap.ld) {
1051 89 : ldap_unbind(ads->ldap.ld);
1052 89 : ads->ldap.ld = NULL;
1053 : }
1054 175 : if (ads->ldap_wrap_data.wrap_ops &&
1055 83 : ads->ldap_wrap_data.wrap_ops->disconnect) {
1056 83 : ads->ldap_wrap_data.wrap_ops->disconnect(&ads->ldap_wrap_data);
1057 : }
1058 175 : if (ads->ldap_wrap_data.mem_ctx) {
1059 89 : talloc_free(ads->ldap_wrap_data.mem_ctx);
1060 : }
1061 175 : ads_zero_ldap(ads);
1062 175 : ZERO_STRUCT(ads->ldap_wrap_data);
1063 175 : }
1064 :
1065 : /*
1066 : Duplicate a struct berval into talloc'ed memory
1067 : */
1068 26 : static struct berval *dup_berval(TALLOC_CTX *ctx, const struct berval *in_val)
1069 : {
1070 : struct berval *value;
1071 :
1072 26 : if (!in_val) return NULL;
1073 :
1074 26 : value = talloc_zero(ctx, struct berval);
1075 26 : if (value == NULL)
1076 0 : return NULL;
1077 26 : if (in_val->bv_len == 0) return value;
1078 :
1079 26 : value->bv_len = in_val->bv_len;
1080 26 : value->bv_val = (char *)talloc_memdup(ctx, in_val->bv_val,
1081 : in_val->bv_len);
1082 26 : return value;
1083 : }
1084 :
1085 : /*
1086 : Make a values list out of an array of (struct berval *)
1087 : */
1088 26 : static struct berval **ads_dup_values(TALLOC_CTX *ctx,
1089 : const struct berval **in_vals)
1090 : {
1091 : struct berval **values;
1092 : int i;
1093 :
1094 26 : if (!in_vals) return NULL;
1095 52 : for (i=0; in_vals[i]; i++)
1096 : ; /* count values */
1097 26 : values = talloc_zero_array(ctx, struct berval *, i+1);
1098 26 : if (!values) return NULL;
1099 :
1100 52 : for (i=0; in_vals[i]; i++) {
1101 26 : values[i] = dup_berval(ctx, in_vals[i]);
1102 : }
1103 26 : return values;
1104 : }
1105 :
1106 : /*
1107 : UTF8-encode a values list out of an array of (char *)
1108 : */
1109 226 : static char **ads_push_strvals(TALLOC_CTX *ctx, const char **in_vals)
1110 : {
1111 : char **values;
1112 : int i;
1113 : size_t size;
1114 :
1115 226 : if (!in_vals) return NULL;
1116 622 : for (i=0; in_vals[i]; i++)
1117 : ; /* count values */
1118 226 : values = talloc_zero_array(ctx, char *, i+1);
1119 226 : if (!values) return NULL;
1120 :
1121 622 : for (i=0; in_vals[i]; i++) {
1122 396 : if (!push_utf8_talloc(ctx, &values[i], in_vals[i], &size)) {
1123 0 : TALLOC_FREE(values);
1124 0 : return NULL;
1125 : }
1126 : }
1127 226 : return values;
1128 : }
1129 :
1130 : /*
1131 : Pull a (char *) array out of a UTF8-encoded values list
1132 : */
1133 51 : static char **ads_pull_strvals(TALLOC_CTX *ctx, const char **in_vals)
1134 : {
1135 : char **values;
1136 : int i;
1137 : size_t converted_size;
1138 :
1139 51 : if (!in_vals) return NULL;
1140 102 : for (i=0; in_vals[i]; i++)
1141 : ; /* count values */
1142 51 : values = talloc_zero_array(ctx, char *, i+1);
1143 51 : if (!values) return NULL;
1144 :
1145 102 : for (i=0; in_vals[i]; i++) {
1146 51 : if (!pull_utf8_talloc(ctx, &values[i], in_vals[i],
1147 : &converted_size)) {
1148 0 : DEBUG(0,("ads_pull_strvals: pull_utf8_talloc failed: "
1149 : "%s", strerror(errno)));
1150 : }
1151 : }
1152 51 : return values;
1153 : }
1154 :
1155 : /**
1156 : * Do a search with paged results. cookie must be null on the first
1157 : * call, and then returned on each subsequent call. It will be null
1158 : * again when the entire search is complete
1159 : * @param ads connection to ads server
1160 : * @param bind_path Base dn for the search
1161 : * @param scope Scope of search (LDAP_SCOPE_BASE | LDAP_SCOPE_ONE | LDAP_SCOPE_SUBTREE)
1162 : * @param expr Search expression - specified in local charset
1163 : * @param attrs Attributes to retrieve - specified in utf8 or ascii
1164 : * @param res ** which will contain results - free res* with ads_msgfree()
1165 : * @param count Number of entries retrieved on this page
1166 : * @param cookie The paged results cookie to be returned on subsequent calls
1167 : * @return status of search
1168 : **/
1169 13 : static ADS_STATUS ads_do_paged_search_args(ADS_STRUCT *ads,
1170 : const char *bind_path,
1171 : int scope, const char *expr,
1172 : const char **attrs, void *args,
1173 : LDAPMessage **res,
1174 : int *count, struct berval **cookie)
1175 : {
1176 : int rc, i, version;
1177 13 : char *utf8_expr, *utf8_path, **search_attrs = NULL;
1178 : size_t converted_size;
1179 : LDAPControl PagedResults, NoReferrals, ExternalCtrl, *controls[4], **rcontrols;
1180 13 : BerElement *cookie_be = NULL;
1181 13 : struct berval *cookie_bv= NULL;
1182 13 : BerElement *ext_be = NULL;
1183 13 : struct berval *ext_bv= NULL;
1184 :
1185 : TALLOC_CTX *ctx;
1186 13 : ads_control *external_control = (ads_control *) args;
1187 :
1188 13 : *res = NULL;
1189 :
1190 13 : if (!(ctx = talloc_init("ads_do_paged_search_args")))
1191 0 : return ADS_ERROR(LDAP_NO_MEMORY);
1192 :
1193 : /* 0 means the conversion worked but the result was empty
1194 : so we only fail if it's -1. In any case, it always
1195 : at least nulls out the dest */
1196 13 : if (!push_utf8_talloc(ctx, &utf8_expr, expr, &converted_size) ||
1197 13 : !push_utf8_talloc(ctx, &utf8_path, bind_path, &converted_size))
1198 : {
1199 0 : rc = LDAP_NO_MEMORY;
1200 0 : goto done;
1201 : }
1202 :
1203 13 : if (!attrs || !(*attrs))
1204 0 : search_attrs = NULL;
1205 : else {
1206 : /* This would be the utf8-encoded version...*/
1207 : /* if (!(search_attrs = ads_push_strvals(ctx, attrs))) */
1208 13 : if (!(search_attrs = str_list_copy(talloc_tos(), attrs))) {
1209 0 : rc = LDAP_NO_MEMORY;
1210 0 : goto done;
1211 : }
1212 : }
1213 :
1214 : /* Paged results only available on ldap v3 or later */
1215 13 : ldap_get_option(ads->ldap.ld, LDAP_OPT_PROTOCOL_VERSION, &version);
1216 13 : if (version < LDAP_VERSION3) {
1217 0 : rc = LDAP_NOT_SUPPORTED;
1218 0 : goto done;
1219 : }
1220 :
1221 13 : cookie_be = ber_alloc_t(LBER_USE_DER);
1222 13 : if (*cookie) {
1223 0 : ber_printf(cookie_be, "{iO}", (ber_int_t) ads->config.ldap_page_size, *cookie);
1224 0 : ber_bvfree(*cookie); /* don't need it from last time */
1225 0 : *cookie = NULL;
1226 : } else {
1227 13 : ber_printf(cookie_be, "{io}", (ber_int_t) ads->config.ldap_page_size, "", 0);
1228 : }
1229 13 : ber_flatten(cookie_be, &cookie_bv);
1230 13 : PagedResults.ldctl_oid = discard_const_p(char, ADS_PAGE_CTL_OID);
1231 13 : PagedResults.ldctl_iscritical = (char) 1;
1232 13 : PagedResults.ldctl_value.bv_len = cookie_bv->bv_len;
1233 13 : PagedResults.ldctl_value.bv_val = cookie_bv->bv_val;
1234 :
1235 13 : NoReferrals.ldctl_oid = discard_const_p(char, ADS_NO_REFERRALS_OID);
1236 13 : NoReferrals.ldctl_iscritical = (char) 0;
1237 13 : NoReferrals.ldctl_value.bv_len = 0;
1238 13 : NoReferrals.ldctl_value.bv_val = discard_const_p(char, "");
1239 :
1240 13 : if (external_control &&
1241 0 : (strequal(external_control->control, ADS_EXTENDED_DN_OID) ||
1242 0 : strequal(external_control->control, ADS_SD_FLAGS_OID))) {
1243 :
1244 0 : ExternalCtrl.ldctl_oid = discard_const_p(char, external_control->control);
1245 0 : ExternalCtrl.ldctl_iscritical = (char) external_control->critical;
1246 :
1247 : /* win2k does not accept a ldctl_value beeing passed in */
1248 :
1249 0 : if (external_control->val != 0) {
1250 :
1251 0 : if ((ext_be = ber_alloc_t(LBER_USE_DER)) == NULL ) {
1252 0 : rc = LDAP_NO_MEMORY;
1253 0 : goto done;
1254 : }
1255 :
1256 0 : if ((ber_printf(ext_be, "{i}", (ber_int_t) external_control->val)) == -1) {
1257 0 : rc = LDAP_NO_MEMORY;
1258 0 : goto done;
1259 : }
1260 0 : if ((ber_flatten(ext_be, &ext_bv)) == -1) {
1261 0 : rc = LDAP_NO_MEMORY;
1262 0 : goto done;
1263 : }
1264 :
1265 0 : ExternalCtrl.ldctl_value.bv_len = ext_bv->bv_len;
1266 0 : ExternalCtrl.ldctl_value.bv_val = ext_bv->bv_val;
1267 :
1268 : } else {
1269 0 : ExternalCtrl.ldctl_value.bv_len = 0;
1270 0 : ExternalCtrl.ldctl_value.bv_val = NULL;
1271 : }
1272 :
1273 0 : controls[0] = &NoReferrals;
1274 0 : controls[1] = &PagedResults;
1275 0 : controls[2] = &ExternalCtrl;
1276 0 : controls[3] = NULL;
1277 :
1278 : } else {
1279 13 : controls[0] = &NoReferrals;
1280 13 : controls[1] = &PagedResults;
1281 13 : controls[2] = NULL;
1282 : }
1283 :
1284 : /* we need to disable referrals as the openldap libs don't
1285 : handle them and paged results at the same time. Using them
1286 : together results in the result record containing the server
1287 : page control being removed from the result list (tridge/jmcd)
1288 :
1289 : leaving this in despite the control that says don't generate
1290 : referrals, in case the server doesn't support it (jmcd)
1291 : */
1292 13 : ldap_set_option(ads->ldap.ld, LDAP_OPT_REFERRALS, LDAP_OPT_OFF);
1293 :
1294 13 : rc = ldap_search_with_timeout(ads->ldap.ld, utf8_path, scope, utf8_expr,
1295 : search_attrs, 0, controls,
1296 : NULL, LDAP_NO_LIMIT,
1297 : (LDAPMessage **)res);
1298 :
1299 13 : ber_free(cookie_be, 1);
1300 13 : ber_bvfree(cookie_bv);
1301 :
1302 13 : if (rc) {
1303 0 : DEBUG(3,("ads_do_paged_search_args: ldap_search_with_timeout(%s) -> %s\n", expr,
1304 : ldap_err2string(rc)));
1305 0 : if (rc == LDAP_OTHER) {
1306 : char *ldap_errmsg;
1307 : int ret;
1308 :
1309 0 : ret = ldap_parse_result(ads->ldap.ld,
1310 : *res,
1311 : NULL,
1312 : NULL,
1313 : &ldap_errmsg,
1314 : NULL,
1315 : NULL,
1316 : 0);
1317 0 : if (ret == LDAP_SUCCESS) {
1318 0 : DEBUG(3, ("ldap_search_with_timeout(%s) "
1319 : "error: %s\n", expr, ldap_errmsg));
1320 0 : ldap_memfree(ldap_errmsg);
1321 : }
1322 : }
1323 0 : goto done;
1324 : }
1325 :
1326 13 : rc = ldap_parse_result(ads->ldap.ld, *res, NULL, NULL, NULL,
1327 : NULL, &rcontrols, 0);
1328 :
1329 13 : if (!rcontrols) {
1330 0 : goto done;
1331 : }
1332 :
1333 13 : for (i=0; rcontrols[i]; i++) {
1334 13 : if (strcmp(ADS_PAGE_CTL_OID, rcontrols[i]->ldctl_oid) == 0) {
1335 13 : cookie_be = ber_init(&rcontrols[i]->ldctl_value);
1336 13 : ber_scanf(cookie_be,"{iO}", (ber_int_t *) count,
1337 : &cookie_bv);
1338 : /* the berval is the cookie, but must be freed when
1339 : it is all done */
1340 13 : if (cookie_bv->bv_len) /* still more to do */
1341 0 : *cookie=ber_bvdup(cookie_bv);
1342 : else
1343 13 : *cookie=NULL;
1344 13 : ber_bvfree(cookie_bv);
1345 13 : ber_free(cookie_be, 1);
1346 13 : break;
1347 : }
1348 : }
1349 13 : ldap_controls_free(rcontrols);
1350 :
1351 13 : done:
1352 13 : talloc_destroy(ctx);
1353 :
1354 13 : if (ext_be) {
1355 0 : ber_free(ext_be, 1);
1356 : }
1357 :
1358 13 : if (ext_bv) {
1359 0 : ber_bvfree(ext_bv);
1360 : }
1361 :
1362 13 : if (rc != LDAP_SUCCESS && *res != NULL) {
1363 0 : ads_msgfree(ads, *res);
1364 0 : *res = NULL;
1365 : }
1366 :
1367 : /* if/when we decide to utf8-encode attrs, take out this next line */
1368 13 : TALLOC_FREE(search_attrs);
1369 :
1370 13 : return ADS_ERROR(rc);
1371 : }
1372 :
1373 0 : static ADS_STATUS ads_do_paged_search(ADS_STRUCT *ads, const char *bind_path,
1374 : int scope, const char *expr,
1375 : const char **attrs, LDAPMessage **res,
1376 : int *count, struct berval **cookie)
1377 : {
1378 0 : return ads_do_paged_search_args(ads, bind_path, scope, expr, attrs, NULL, res, count, cookie);
1379 : }
1380 :
1381 :
1382 : /**
1383 : * Get all results for a search. This uses ads_do_paged_search() to return
1384 : * all entries in a large search.
1385 : * @param ads connection to ads server
1386 : * @param bind_path Base dn for the search
1387 : * @param scope Scope of search (LDAP_SCOPE_BASE | LDAP_SCOPE_ONE | LDAP_SCOPE_SUBTREE)
1388 : * @param expr Search expression
1389 : * @param attrs Attributes to retrieve
1390 : * @param res ** which will contain results - free res* with ads_msgfree()
1391 : * @return status of search
1392 : **/
1393 13 : ADS_STATUS ads_do_search_all_args(ADS_STRUCT *ads, const char *bind_path,
1394 : int scope, const char *expr,
1395 : const char **attrs, void *args,
1396 : LDAPMessage **res)
1397 : {
1398 13 : struct berval *cookie = NULL;
1399 13 : int count = 0;
1400 : ADS_STATUS status;
1401 :
1402 13 : *res = NULL;
1403 13 : status = ads_do_paged_search_args(ads, bind_path, scope, expr, attrs, args, res,
1404 : &count, &cookie);
1405 :
1406 13 : if (!ADS_ERR_OK(status))
1407 0 : return status;
1408 :
1409 : #ifdef HAVE_LDAP_ADD_RESULT_ENTRY
1410 13 : while (cookie) {
1411 0 : LDAPMessage *res2 = NULL;
1412 : LDAPMessage *msg, *next;
1413 :
1414 0 : status = ads_do_paged_search_args(ads, bind_path, scope, expr,
1415 : attrs, args, &res2, &count, &cookie);
1416 0 : if (!ADS_ERR_OK(status)) {
1417 0 : break;
1418 : }
1419 :
1420 : /* this relies on the way that ldap_add_result_entry() works internally. I hope
1421 : that this works on all ldap libs, but I have only tested with openldap */
1422 0 : for (msg = ads_first_message(ads, res2); msg; msg = next) {
1423 0 : next = ads_next_message(ads, msg);
1424 0 : ldap_add_result_entry((LDAPMessage **)res, msg);
1425 : }
1426 : /* note that we do not free res2, as the memory is now
1427 : part of the main returned list */
1428 : }
1429 : #else
1430 : DEBUG(0, ("no ldap_add_result_entry() support in LDAP libs!\n"));
1431 : status = ADS_ERROR_NT(NT_STATUS_UNSUCCESSFUL);
1432 : #endif
1433 :
1434 13 : return status;
1435 : }
1436 :
1437 0 : ADS_STATUS ads_do_search_all(ADS_STRUCT *ads, const char *bind_path,
1438 : int scope, const char *expr,
1439 : const char **attrs, LDAPMessage **res)
1440 : {
1441 0 : return ads_do_search_all_args(ads, bind_path, scope, expr, attrs, NULL, res);
1442 : }
1443 :
1444 0 : ADS_STATUS ads_do_search_all_sd_flags(ADS_STRUCT *ads, const char *bind_path,
1445 : int scope, const char *expr,
1446 : const char **attrs, uint32_t sd_flags,
1447 : LDAPMessage **res)
1448 : {
1449 : ads_control args;
1450 :
1451 0 : args.control = ADS_SD_FLAGS_OID;
1452 0 : args.val = sd_flags;
1453 0 : args.critical = True;
1454 :
1455 0 : return ads_do_search_all_args(ads, bind_path, scope, expr, attrs, &args, res);
1456 : }
1457 :
1458 :
1459 : /**
1460 : * Run a function on all results for a search. Uses ads_do_paged_search() and
1461 : * runs the function as each page is returned, using ads_process_results()
1462 : * @param ads connection to ads server
1463 : * @param bind_path Base dn for the search
1464 : * @param scope Scope of search (LDAP_SCOPE_BASE | LDAP_SCOPE_ONE | LDAP_SCOPE_SUBTREE)
1465 : * @param expr Search expression - specified in local charset
1466 : * @param attrs Attributes to retrieve - specified in UTF-8 or ascii
1467 : * @param fn Function which takes attr name, values list, and data_area
1468 : * @param data_area Pointer which is passed to function on each call
1469 : * @return status of search
1470 : **/
1471 0 : ADS_STATUS ads_do_search_all_fn(ADS_STRUCT *ads, const char *bind_path,
1472 : int scope, const char *expr, const char **attrs,
1473 : bool (*fn)(ADS_STRUCT *, char *, void **, void *),
1474 : void *data_area)
1475 : {
1476 0 : struct berval *cookie = NULL;
1477 0 : int count = 0;
1478 : ADS_STATUS status;
1479 : LDAPMessage *res;
1480 :
1481 0 : status = ads_do_paged_search(ads, bind_path, scope, expr, attrs, &res,
1482 : &count, &cookie);
1483 :
1484 0 : if (!ADS_ERR_OK(status)) return status;
1485 :
1486 0 : ads_process_results(ads, res, fn, data_area);
1487 0 : ads_msgfree(ads, res);
1488 :
1489 0 : while (cookie) {
1490 0 : status = ads_do_paged_search(ads, bind_path, scope, expr, attrs,
1491 : &res, &count, &cookie);
1492 :
1493 0 : if (!ADS_ERR_OK(status)) break;
1494 :
1495 0 : ads_process_results(ads, res, fn, data_area);
1496 0 : ads_msgfree(ads, res);
1497 : }
1498 :
1499 0 : return status;
1500 : }
1501 :
1502 : /**
1503 : * Do a search with a timeout.
1504 : * @param ads connection to ads server
1505 : * @param bind_path Base dn for the search
1506 : * @param scope Scope of search (LDAP_SCOPE_BASE | LDAP_SCOPE_ONE | LDAP_SCOPE_SUBTREE)
1507 : * @param expr Search expression
1508 : * @param attrs Attributes to retrieve
1509 : * @param res ** which will contain results - free res* with ads_msgfree()
1510 : * @return status of search
1511 : **/
1512 425 : ADS_STATUS ads_do_search(ADS_STRUCT *ads, const char *bind_path, int scope,
1513 : const char *expr,
1514 : const char **attrs, LDAPMessage **res)
1515 : {
1516 : int rc;
1517 425 : char *utf8_expr, *utf8_path, **search_attrs = NULL;
1518 : size_t converted_size;
1519 : TALLOC_CTX *ctx;
1520 :
1521 425 : *res = NULL;
1522 425 : if (!(ctx = talloc_init("ads_do_search"))) {
1523 0 : DEBUG(1,("ads_do_search: talloc_init() failed!"));
1524 0 : return ADS_ERROR(LDAP_NO_MEMORY);
1525 : }
1526 :
1527 : /* 0 means the conversion worked but the result was empty
1528 : so we only fail if it's negative. In any case, it always
1529 : at least nulls out the dest */
1530 425 : if (!push_utf8_talloc(ctx, &utf8_expr, expr, &converted_size) ||
1531 425 : !push_utf8_talloc(ctx, &utf8_path, bind_path, &converted_size))
1532 : {
1533 0 : DEBUG(1,("ads_do_search: push_utf8_talloc() failed!"));
1534 0 : rc = LDAP_NO_MEMORY;
1535 0 : goto done;
1536 : }
1537 :
1538 425 : if (!attrs || !(*attrs))
1539 0 : search_attrs = NULL;
1540 : else {
1541 : /* This would be the utf8-encoded version...*/
1542 : /* if (!(search_attrs = ads_push_strvals(ctx, attrs))) */
1543 425 : if (!(search_attrs = str_list_copy(talloc_tos(), attrs)))
1544 : {
1545 0 : DEBUG(1,("ads_do_search: str_list_copy() failed!"));
1546 0 : rc = LDAP_NO_MEMORY;
1547 0 : goto done;
1548 : }
1549 : }
1550 :
1551 : /* see the note in ads_do_paged_search - we *must* disable referrals */
1552 425 : ldap_set_option(ads->ldap.ld, LDAP_OPT_REFERRALS, LDAP_OPT_OFF);
1553 :
1554 425 : rc = ldap_search_with_timeout(ads->ldap.ld, utf8_path, scope, utf8_expr,
1555 : search_attrs, 0, NULL, NULL,
1556 : LDAP_NO_LIMIT,
1557 : (LDAPMessage **)res);
1558 :
1559 425 : if (rc == LDAP_SIZELIMIT_EXCEEDED) {
1560 0 : DEBUG(3,("Warning! sizelimit exceeded in ldap. Truncating.\n"));
1561 0 : rc = 0;
1562 : }
1563 :
1564 425 : done:
1565 425 : talloc_destroy(ctx);
1566 : /* if/when we decide to utf8-encode attrs, take out this next line */
1567 425 : TALLOC_FREE(search_attrs);
1568 425 : return ADS_ERROR(rc);
1569 : }
1570 : /**
1571 : * Do a general ADS search
1572 : * @param ads connection to ads server
1573 : * @param res ** which will contain results - free res* with ads_msgfree()
1574 : * @param expr Search expression
1575 : * @param attrs Attributes to retrieve
1576 : * @return status of search
1577 : **/
1578 134 : ADS_STATUS ads_search(ADS_STRUCT *ads, LDAPMessage **res,
1579 : const char *expr, const char **attrs)
1580 : {
1581 134 : return ads_do_search(ads, ads->config.bind_path, LDAP_SCOPE_SUBTREE,
1582 : expr, attrs, res);
1583 : }
1584 :
1585 : /**
1586 : * Do a search on a specific DistinguishedName
1587 : * @param ads connection to ads server
1588 : * @param res ** which will contain results - free res* with ads_msgfree()
1589 : * @param dn DistinguishName to search
1590 : * @param attrs Attributes to retrieve
1591 : * @return status of search
1592 : **/
1593 58 : ADS_STATUS ads_search_dn(ADS_STRUCT *ads, LDAPMessage **res,
1594 : const char *dn, const char **attrs)
1595 : {
1596 58 : return ads_do_search(ads, dn, LDAP_SCOPE_BASE, "(objectclass=*)",
1597 : attrs, res);
1598 : }
1599 :
1600 : /**
1601 : * Free up memory from a ads_search
1602 : * @param ads connection to ads server
1603 : * @param msg Search results to free
1604 : **/
1605 353 : void ads_msgfree(ADS_STRUCT *ads, LDAPMessage *msg)
1606 : {
1607 353 : if (!msg) return;
1608 352 : ldap_msgfree(msg);
1609 : }
1610 :
1611 : /**
1612 : * Get a dn from search results
1613 : * @param ads connection to ads server
1614 : * @param msg Search result
1615 : * @return dn string
1616 : **/
1617 108 : char *ads_get_dn(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, LDAPMessage *msg)
1618 : {
1619 : char *utf8_dn, *unix_dn;
1620 : size_t converted_size;
1621 :
1622 108 : utf8_dn = ldap_get_dn(ads->ldap.ld, msg);
1623 :
1624 108 : if (!utf8_dn) {
1625 0 : DEBUG (5, ("ads_get_dn: ldap_get_dn failed\n"));
1626 0 : return NULL;
1627 : }
1628 :
1629 108 : if (!pull_utf8_talloc(mem_ctx, &unix_dn, utf8_dn, &converted_size)) {
1630 0 : DEBUG(0,("ads_get_dn: string conversion failure utf8 [%s]\n",
1631 : utf8_dn ));
1632 0 : return NULL;
1633 : }
1634 108 : ldap_memfree(utf8_dn);
1635 108 : return unix_dn;
1636 : }
1637 :
1638 : /**
1639 : * Get the parent from a dn
1640 : * @param dn the dn to return the parent from
1641 : * @return parent dn string
1642 : **/
1643 0 : char *ads_parent_dn(const char *dn)
1644 : {
1645 : char *p;
1646 :
1647 0 : if (dn == NULL) {
1648 0 : return NULL;
1649 : }
1650 :
1651 0 : p = strchr(dn, ',');
1652 :
1653 0 : if (p == NULL) {
1654 0 : return NULL;
1655 : }
1656 :
1657 0 : return p+1;
1658 : }
1659 :
1660 : /**
1661 : * Find a machine account given a hostname
1662 : * @param ads connection to ads server
1663 : * @param res ** which will contain results - free res* with ads_msgfree()
1664 : * @param host Hostname to search for
1665 : * @return status of search
1666 : **/
1667 128 : ADS_STATUS ads_find_machine_acct(ADS_STRUCT *ads, LDAPMessage **res,
1668 : const char *machine)
1669 : {
1670 : ADS_STATUS status;
1671 : char *expr;
1672 128 : const char *attrs[] = {
1673 : /* This is how Windows checks for machine accounts */
1674 : "objectClass",
1675 : "SamAccountName",
1676 : "userAccountControl",
1677 : "DnsHostName",
1678 : "ServicePrincipalName",
1679 : "userPrincipalName",
1680 : "unicodePwd",
1681 :
1682 : /* Additional attributes Samba checks */
1683 : "msDS-AdditionalDnsHostName",
1684 : "msDS-SupportedEncryptionTypes",
1685 : "nTSecurityDescriptor",
1686 : "objectSid",
1687 :
1688 : NULL
1689 : };
1690 128 : TALLOC_CTX *frame = talloc_stackframe();
1691 :
1692 128 : *res = NULL;
1693 :
1694 : /* the easiest way to find a machine account anywhere in the tree
1695 : is to look for hostname$ */
1696 128 : expr = talloc_asprintf(frame, "(samAccountName=%s$)", machine);
1697 128 : if (expr == NULL) {
1698 0 : status = ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
1699 0 : goto done;
1700 : }
1701 :
1702 128 : status = ads_search(ads, res, expr, attrs);
1703 128 : if (ADS_ERR_OK(status)) {
1704 128 : if (ads_count_replies(ads, *res) != 1) {
1705 24 : status = ADS_ERROR_LDAP(LDAP_NO_SUCH_OBJECT);
1706 : }
1707 : }
1708 :
1709 104 : done:
1710 128 : TALLOC_FREE(frame);
1711 128 : return status;
1712 : }
1713 :
1714 : /**
1715 : * Initialize a list of mods to be used in a modify request
1716 : * @param ctx An initialized TALLOC_CTX
1717 : * @return allocated ADS_MODLIST
1718 : **/
1719 82 : ADS_MODLIST ads_init_mods(TALLOC_CTX *ctx)
1720 : {
1721 : #define ADS_MODLIST_ALLOC_SIZE 10
1722 : LDAPMod **mods;
1723 :
1724 82 : if ((mods = talloc_zero_array(ctx, LDAPMod *, ADS_MODLIST_ALLOC_SIZE + 1)))
1725 : /* -1 is safety to make sure we don't go over the end.
1726 : need to reset it to NULL before doing ldap modify */
1727 82 : mods[ADS_MODLIST_ALLOC_SIZE] = (LDAPMod *) -1;
1728 :
1729 82 : return (ADS_MODLIST)mods;
1730 : }
1731 :
1732 :
1733 : /*
1734 : add an attribute to the list, with values list already constructed
1735 : */
1736 252 : static ADS_STATUS ads_modlist_add(TALLOC_CTX *ctx, ADS_MODLIST *mods,
1737 : int mod_op, const char *name,
1738 : const void *_invals)
1739 : {
1740 : int curmod;
1741 252 : LDAPMod **modlist = (LDAPMod **) *mods;
1742 252 : struct berval **ber_values = NULL;
1743 252 : char **char_values = NULL;
1744 :
1745 252 : if (!_invals) {
1746 0 : mod_op = LDAP_MOD_DELETE;
1747 : } else {
1748 252 : if (mod_op & LDAP_MOD_BVALUES) {
1749 : const struct berval **b;
1750 26 : b = discard_const_p(const struct berval *, _invals);
1751 26 : ber_values = ads_dup_values(ctx, b);
1752 : } else {
1753 : const char **c;
1754 226 : c = discard_const_p(const char *, _invals);
1755 226 : char_values = ads_push_strvals(ctx, c);
1756 : }
1757 : }
1758 :
1759 : /* find the first empty slot */
1760 722 : for (curmod=0; modlist[curmod] && modlist[curmod] != (LDAPMod *) -1;
1761 470 : curmod++);
1762 252 : if (modlist[curmod] == (LDAPMod *) -1) {
1763 0 : if (!(modlist = talloc_realloc(ctx, modlist, LDAPMod *,
1764 : curmod+ADS_MODLIST_ALLOC_SIZE+1)))
1765 0 : return ADS_ERROR(LDAP_NO_MEMORY);
1766 0 : memset(&modlist[curmod], 0,
1767 : ADS_MODLIST_ALLOC_SIZE*sizeof(LDAPMod *));
1768 0 : modlist[curmod+ADS_MODLIST_ALLOC_SIZE] = (LDAPMod *) -1;
1769 0 : *mods = (ADS_MODLIST)modlist;
1770 : }
1771 :
1772 252 : if (!(modlist[curmod] = talloc_zero(ctx, LDAPMod)))
1773 0 : return ADS_ERROR(LDAP_NO_MEMORY);
1774 252 : modlist[curmod]->mod_type = talloc_strdup(ctx, name);
1775 252 : if (mod_op & LDAP_MOD_BVALUES) {
1776 26 : modlist[curmod]->mod_bvalues = ber_values;
1777 226 : } else if (mod_op & LDAP_MOD_DELETE) {
1778 0 : modlist[curmod]->mod_values = NULL;
1779 : } else {
1780 226 : modlist[curmod]->mod_values = char_values;
1781 : }
1782 :
1783 252 : modlist[curmod]->mod_op = mod_op;
1784 252 : return ADS_ERROR(LDAP_SUCCESS);
1785 : }
1786 :
1787 : /**
1788 : * Add a single string value to a mod list
1789 : * @param ctx An initialized TALLOC_CTX
1790 : * @param mods An initialized ADS_MODLIST
1791 : * @param name The attribute name to add
1792 : * @param val The value to add - NULL means DELETE
1793 : * @return ADS STATUS indicating success of add
1794 : **/
1795 172 : ADS_STATUS ads_mod_str(TALLOC_CTX *ctx, ADS_MODLIST *mods,
1796 : const char *name, const char *val)
1797 : {
1798 : const char *values[2];
1799 :
1800 172 : values[0] = val;
1801 172 : values[1] = NULL;
1802 :
1803 172 : if (!val)
1804 0 : return ads_modlist_add(ctx, mods, LDAP_MOD_DELETE, name, NULL);
1805 172 : return ads_modlist_add(ctx, mods, LDAP_MOD_REPLACE, name, values);
1806 : }
1807 :
1808 : /**
1809 : * Add an array of string values to a mod list
1810 : * @param ctx An initialized TALLOC_CTX
1811 : * @param mods An initialized ADS_MODLIST
1812 : * @param name The attribute name to add
1813 : * @param vals The array of string values to add - NULL means DELETE
1814 : * @return ADS STATUS indicating success of add
1815 : **/
1816 54 : ADS_STATUS ads_mod_strlist(TALLOC_CTX *ctx, ADS_MODLIST *mods,
1817 : const char *name, const char **vals)
1818 : {
1819 54 : if (!vals)
1820 0 : return ads_modlist_add(ctx, mods, LDAP_MOD_DELETE, name, NULL);
1821 54 : return ads_modlist_add(ctx, mods, LDAP_MOD_REPLACE,
1822 : name, (const void **) vals);
1823 : }
1824 :
1825 : /**
1826 : * Add a single ber-encoded value to a mod list
1827 : * @param ctx An initialized TALLOC_CTX
1828 : * @param mods An initialized ADS_MODLIST
1829 : * @param name The attribute name to add
1830 : * @param val The value to add - NULL means DELETE
1831 : * @return ADS STATUS indicating success of add
1832 : **/
1833 26 : static ADS_STATUS ads_mod_ber(TALLOC_CTX *ctx, ADS_MODLIST *mods,
1834 : const char *name, const struct berval *val)
1835 : {
1836 : const struct berval *values[2];
1837 :
1838 26 : values[0] = val;
1839 26 : values[1] = NULL;
1840 26 : if (!val)
1841 0 : return ads_modlist_add(ctx, mods, LDAP_MOD_DELETE, name, NULL);
1842 26 : return ads_modlist_add(ctx, mods, LDAP_MOD_REPLACE|LDAP_MOD_BVALUES,
1843 : name, (const void **) values);
1844 : }
1845 :
1846 84 : static void ads_print_error(int ret, LDAP *ld)
1847 : {
1848 84 : if (ret != 0) {
1849 0 : char *ld_error = NULL;
1850 0 : ldap_get_option(ld, LDAP_OPT_ERROR_STRING, &ld_error);
1851 0 : DBG_ERR("AD LDAP ERROR: %d (%s): %s\n",
1852 : ret,
1853 : ldap_err2string(ret),
1854 : ld_error);
1855 0 : SAFE_FREE(ld_error);
1856 : }
1857 84 : }
1858 :
1859 : /**
1860 : * Perform an ldap modify
1861 : * @param ads connection to ads server
1862 : * @param mod_dn DistinguishedName to modify
1863 : * @param mods list of modifications to perform
1864 : * @return status of modify
1865 : **/
1866 54 : ADS_STATUS ads_gen_mod(ADS_STRUCT *ads, const char *mod_dn, ADS_MODLIST mods)
1867 : {
1868 : int ret,i;
1869 54 : char *utf8_dn = NULL;
1870 : size_t converted_size;
1871 : /*
1872 : this control is needed to modify that contains a currently
1873 : non-existent attribute (but allowable for the object) to run
1874 : */
1875 54 : LDAPControl PermitModify = {
1876 : discard_const_p(char, ADS_PERMIT_MODIFY_OID),
1877 : {0, NULL},
1878 : (char) 1};
1879 : LDAPControl *controls[2];
1880 :
1881 54 : DBG_INFO("AD LDAP: Modifying %s\n", mod_dn);
1882 :
1883 54 : controls[0] = &PermitModify;
1884 54 : controls[1] = NULL;
1885 :
1886 54 : if (!push_utf8_talloc(talloc_tos(), &utf8_dn, mod_dn, &converted_size)) {
1887 0 : return ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
1888 : }
1889 :
1890 : /* find the end of the list, marked by NULL or -1 */
1891 134 : for(i=0;(mods[i]!=0)&&(mods[i]!=(LDAPMod *) -1);i++);
1892 : /* make sure the end of the list is NULL */
1893 54 : mods[i] = NULL;
1894 54 : ret = ldap_modify_ext_s(ads->ldap.ld, utf8_dn,
1895 : (LDAPMod **) mods, controls, NULL);
1896 54 : ads_print_error(ret, ads->ldap.ld);
1897 54 : TALLOC_FREE(utf8_dn);
1898 54 : return ADS_ERROR(ret);
1899 : }
1900 :
1901 : /**
1902 : * Perform an ldap add
1903 : * @param ads connection to ads server
1904 : * @param new_dn DistinguishedName to add
1905 : * @param mods list of attributes and values for DN
1906 : * @return status of add
1907 : **/
1908 28 : ADS_STATUS ads_gen_add(ADS_STRUCT *ads, const char *new_dn, ADS_MODLIST mods)
1909 : {
1910 : int ret, i;
1911 28 : char *utf8_dn = NULL;
1912 : size_t converted_size;
1913 :
1914 28 : DBG_INFO("AD LDAP: Adding %s\n", new_dn);
1915 :
1916 28 : if (!push_utf8_talloc(talloc_tos(), &utf8_dn, new_dn, &converted_size)) {
1917 0 : DEBUG(1, ("ads_gen_add: push_utf8_talloc failed!"));
1918 0 : return ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
1919 : }
1920 :
1921 : /* find the end of the list, marked by NULL or -1 */
1922 200 : for(i=0;(mods[i]!=0)&&(mods[i]!=(LDAPMod *) -1);i++);
1923 : /* make sure the end of the list is NULL */
1924 28 : mods[i] = NULL;
1925 :
1926 28 : ret = ldap_add_ext_s(ads->ldap.ld, utf8_dn, (LDAPMod**)mods, NULL, NULL);
1927 28 : ads_print_error(ret, ads->ldap.ld);
1928 28 : TALLOC_FREE(utf8_dn);
1929 28 : return ADS_ERROR(ret);
1930 : }
1931 :
1932 : /**
1933 : * Delete a DistinguishedName
1934 : * @param ads connection to ads server
1935 : * @param new_dn DistinguishedName to delete
1936 : * @return status of delete
1937 : **/
1938 2 : ADS_STATUS ads_del_dn(ADS_STRUCT *ads, char *del_dn)
1939 : {
1940 : int ret;
1941 2 : char *utf8_dn = NULL;
1942 : size_t converted_size;
1943 2 : if (!push_utf8_talloc(talloc_tos(), &utf8_dn, del_dn, &converted_size)) {
1944 0 : DEBUG(1, ("ads_del_dn: push_utf8_talloc failed!"));
1945 0 : return ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
1946 : }
1947 :
1948 2 : DBG_INFO("AD LDAP: Deleting %s\n", del_dn);
1949 :
1950 2 : ret = ldap_delete_s(ads->ldap.ld, utf8_dn);
1951 2 : ads_print_error(ret, ads->ldap.ld);
1952 2 : TALLOC_FREE(utf8_dn);
1953 2 : return ADS_ERROR(ret);
1954 : }
1955 :
1956 : /**
1957 : * Build an org unit string
1958 : * if org unit is Computers or blank then assume a container, otherwise
1959 : * assume a / separated list of organisational units.
1960 : * jmcd: '\' is now used for escapes so certain chars can be in the ou (e.g. #)
1961 : * @param ads connection to ads server
1962 : * @param org_unit Organizational unit
1963 : * @return org unit string - caller must free
1964 : **/
1965 26 : char *ads_ou_string(ADS_STRUCT *ads, const char *org_unit)
1966 : {
1967 : ADS_STATUS status;
1968 26 : char *ret = NULL;
1969 26 : char *dn = NULL;
1970 :
1971 26 : if (!org_unit || !*org_unit) {
1972 :
1973 26 : ret = ads_default_ou_string(ads, DS_GUID_COMPUTERS_CONTAINER);
1974 :
1975 : /* samba4 might not yet respond to a wellknownobject-query */
1976 26 : return ret ? ret : SMB_STRDUP("cn=Computers");
1977 : }
1978 :
1979 0 : if (strequal(org_unit, "Computers")) {
1980 0 : return SMB_STRDUP("cn=Computers");
1981 : }
1982 :
1983 : /* jmcd: removed "\\" from the separation chars, because it is
1984 : needed as an escape for chars like '#' which are valid in an
1985 : OU name */
1986 0 : status = ads_build_path(org_unit, "/", "ou=", 1, &dn);
1987 0 : if (!ADS_ERR_OK(status)) {
1988 0 : return NULL;
1989 : }
1990 :
1991 0 : return dn;
1992 : }
1993 :
1994 : /**
1995 : * Get a org unit string for a well-known GUID
1996 : * @param ads connection to ads server
1997 : * @param wknguid Well known GUID
1998 : * @return org unit string - caller must free
1999 : **/
2000 30 : char *ads_default_ou_string(ADS_STRUCT *ads, const char *wknguid)
2001 : {
2002 : ADS_STATUS status;
2003 30 : LDAPMessage *res = NULL;
2004 30 : char *base, *wkn_dn = NULL, *ret = NULL, **wkn_dn_exp = NULL,
2005 30 : **bind_dn_exp = NULL;
2006 30 : const char *attrs[] = {"distinguishedName", NULL};
2007 : int new_ln, wkn_ln, bind_ln, i;
2008 :
2009 30 : if (wknguid == NULL) {
2010 0 : return NULL;
2011 : }
2012 :
2013 30 : if (asprintf(&base, "<WKGUID=%s,%s>", wknguid, ads->config.bind_path ) == -1) {
2014 0 : DEBUG(1, ("asprintf failed!\n"));
2015 0 : return NULL;
2016 : }
2017 :
2018 30 : status = ads_search_dn(ads, &res, base, attrs);
2019 30 : if (!ADS_ERR_OK(status)) {
2020 0 : DEBUG(1,("Failed while searching for: %s\n", base));
2021 0 : goto out;
2022 : }
2023 :
2024 30 : if (ads_count_replies(ads, res) != 1) {
2025 0 : goto out;
2026 : }
2027 :
2028 : /* substitute the bind-path from the well-known-guid-search result */
2029 30 : wkn_dn = ads_get_dn(ads, talloc_tos(), res);
2030 30 : if (!wkn_dn) {
2031 0 : goto out;
2032 : }
2033 :
2034 30 : wkn_dn_exp = ldap_explode_dn(wkn_dn, 0);
2035 30 : if (!wkn_dn_exp) {
2036 0 : goto out;
2037 : }
2038 :
2039 30 : bind_dn_exp = ldap_explode_dn(ads->config.bind_path, 0);
2040 30 : if (!bind_dn_exp) {
2041 0 : goto out;
2042 : }
2043 :
2044 170 : for (wkn_ln=0; wkn_dn_exp[wkn_ln]; wkn_ln++)
2045 : ;
2046 140 : for (bind_ln=0; bind_dn_exp[bind_ln]; bind_ln++)
2047 : ;
2048 :
2049 30 : new_ln = wkn_ln - bind_ln;
2050 :
2051 30 : ret = SMB_STRDUP(wkn_dn_exp[0]);
2052 30 : if (!ret) {
2053 0 : goto out;
2054 : }
2055 :
2056 30 : for (i=1; i < new_ln; i++) {
2057 0 : char *s = NULL;
2058 :
2059 0 : if (asprintf(&s, "%s,%s", ret, wkn_dn_exp[i]) == -1) {
2060 0 : SAFE_FREE(ret);
2061 0 : goto out;
2062 : }
2063 :
2064 0 : SAFE_FREE(ret);
2065 0 : ret = SMB_STRDUP(s);
2066 0 : free(s);
2067 0 : if (!ret) {
2068 0 : goto out;
2069 : }
2070 : }
2071 :
2072 30 : out:
2073 30 : SAFE_FREE(base);
2074 30 : ads_msgfree(ads, res);
2075 30 : TALLOC_FREE(wkn_dn);
2076 30 : if (wkn_dn_exp) {
2077 30 : ldap_value_free(wkn_dn_exp);
2078 : }
2079 30 : if (bind_dn_exp) {
2080 30 : ldap_value_free(bind_dn_exp);
2081 : }
2082 :
2083 30 : return ret;
2084 : }
2085 :
2086 : /**
2087 : * Adds (appends) an item to an attribute array, rather then
2088 : * replacing the whole list
2089 : * @param ctx An initialized TALLOC_CTX
2090 : * @param mods An initialized ADS_MODLIST
2091 : * @param name name of the ldap attribute to append to
2092 : * @param vals an array of values to add
2093 : * @return status of addition
2094 : **/
2095 :
2096 0 : ADS_STATUS ads_add_strlist(TALLOC_CTX *ctx, ADS_MODLIST *mods,
2097 : const char *name, const char **vals)
2098 : {
2099 0 : return ads_modlist_add(ctx, mods, LDAP_MOD_ADD, name,
2100 : (const void *) vals);
2101 : }
2102 :
2103 : /**
2104 : * Determines the an account's current KVNO via an LDAP lookup
2105 : * @param ads An initialized ADS_STRUCT
2106 : * @param account_name the NT samaccountname.
2107 : * @return the kvno for the account, or -1 in case of a failure.
2108 : **/
2109 :
2110 0 : uint32_t ads_get_kvno(ADS_STRUCT *ads, const char *account_name)
2111 : {
2112 0 : LDAPMessage *res = NULL;
2113 0 : uint32_t kvno = (uint32_t)-1; /* -1 indicates a failure */
2114 : char *filter;
2115 0 : const char *attrs[] = {"msDS-KeyVersionNumber", NULL};
2116 0 : char *dn_string = NULL;
2117 : ADS_STATUS ret;
2118 :
2119 0 : DEBUG(5,("ads_get_kvno: Searching for account %s\n", account_name));
2120 0 : if (asprintf(&filter, "(samAccountName=%s)", account_name) == -1) {
2121 0 : return kvno;
2122 : }
2123 0 : ret = ads_search(ads, &res, filter, attrs);
2124 0 : SAFE_FREE(filter);
2125 0 : if (!ADS_ERR_OK(ret) || (ads_count_replies(ads, res) != 1)) {
2126 0 : DEBUG(1,("ads_get_kvno: Account for %s not found.\n", account_name));
2127 0 : ads_msgfree(ads, res);
2128 0 : return kvno;
2129 : }
2130 :
2131 0 : dn_string = ads_get_dn(ads, talloc_tos(), res);
2132 0 : if (!dn_string) {
2133 0 : DEBUG(0,("ads_get_kvno: out of memory.\n"));
2134 0 : ads_msgfree(ads, res);
2135 0 : return kvno;
2136 : }
2137 0 : DEBUG(5,("ads_get_kvno: Using: %s\n", dn_string));
2138 0 : TALLOC_FREE(dn_string);
2139 :
2140 : /* ---------------------------------------------------------
2141 : * 0 is returned as a default KVNO from this point on...
2142 : * This is done because Windows 2000 does not support key
2143 : * version numbers. Chances are that a failure in the next
2144 : * step is simply due to Windows 2000 being used for a
2145 : * domain controller. */
2146 0 : kvno = 0;
2147 :
2148 0 : if (!ads_pull_uint32(ads, res, "msDS-KeyVersionNumber", &kvno)) {
2149 0 : DEBUG(3,("ads_get_kvno: Error Determining KVNO!\n"));
2150 0 : DEBUG(3,("ads_get_kvno: Windows 2000 does not support KVNO's, so this may be normal.\n"));
2151 0 : ads_msgfree(ads, res);
2152 0 : return kvno;
2153 : }
2154 :
2155 : /* Success */
2156 0 : DEBUG(5,("ads_get_kvno: Looked Up KVNO of: %d\n", kvno));
2157 0 : ads_msgfree(ads, res);
2158 0 : return kvno;
2159 : }
2160 :
2161 : /**
2162 : * Determines the computer account's current KVNO via an LDAP lookup
2163 : * @param ads An initialized ADS_STRUCT
2164 : * @param machine_name the NetBIOS name of the computer, which is used to identify the computer account.
2165 : * @return the kvno for the computer account, or -1 in case of a failure.
2166 : **/
2167 :
2168 0 : uint32_t ads_get_machine_kvno(ADS_STRUCT *ads, const char *machine_name)
2169 : {
2170 0 : char *computer_account = NULL;
2171 0 : uint32_t kvno = -1;
2172 :
2173 0 : if (asprintf(&computer_account, "%s$", machine_name) < 0) {
2174 0 : return kvno;
2175 : }
2176 :
2177 0 : kvno = ads_get_kvno(ads, computer_account);
2178 0 : free(computer_account);
2179 :
2180 0 : return kvno;
2181 : }
2182 :
2183 : /**
2184 : * This clears out all registered spn's for a given hostname
2185 : * @param ads An initilaized ADS_STRUCT
2186 : * @param machine_name the NetBIOS name of the computer.
2187 : * @return 0 upon success, non-zero otherwise.
2188 : **/
2189 :
2190 0 : ADS_STATUS ads_clear_service_principal_names(ADS_STRUCT *ads, const char *machine_name)
2191 : {
2192 : TALLOC_CTX *ctx;
2193 0 : LDAPMessage *res = NULL;
2194 : ADS_MODLIST mods;
2195 0 : const char *servicePrincipalName[1] = {NULL};
2196 : ADS_STATUS ret;
2197 0 : char *dn_string = NULL;
2198 :
2199 0 : ret = ads_find_machine_acct(ads, &res, machine_name);
2200 0 : if (!ADS_ERR_OK(ret)) {
2201 0 : DEBUG(5,("ads_clear_service_principal_names: WARNING: Host Account for %s not found... skipping operation.\n", machine_name));
2202 0 : DEBUG(5,("ads_clear_service_principal_names: WARNING: Service Principals for %s have NOT been cleared.\n", machine_name));
2203 0 : ads_msgfree(ads, res);
2204 0 : return ret;
2205 : }
2206 :
2207 0 : DEBUG(5,("ads_clear_service_principal_names: Host account for %s found\n", machine_name));
2208 0 : ctx = talloc_init("ads_clear_service_principal_names");
2209 0 : if (!ctx) {
2210 0 : ads_msgfree(ads, res);
2211 0 : return ADS_ERROR(LDAP_NO_MEMORY);
2212 : }
2213 :
2214 0 : if (!(mods = ads_init_mods(ctx))) {
2215 0 : talloc_destroy(ctx);
2216 0 : ads_msgfree(ads, res);
2217 0 : return ADS_ERROR(LDAP_NO_MEMORY);
2218 : }
2219 0 : ret = ads_mod_strlist(ctx, &mods, "servicePrincipalName", servicePrincipalName);
2220 0 : if (!ADS_ERR_OK(ret)) {
2221 0 : DEBUG(1,("ads_clear_service_principal_names: Error creating strlist.\n"));
2222 0 : ads_msgfree(ads, res);
2223 0 : talloc_destroy(ctx);
2224 0 : return ret;
2225 : }
2226 0 : dn_string = ads_get_dn(ads, talloc_tos(), res);
2227 0 : if (!dn_string) {
2228 0 : talloc_destroy(ctx);
2229 0 : ads_msgfree(ads, res);
2230 0 : return ADS_ERROR(LDAP_NO_MEMORY);
2231 : }
2232 0 : ret = ads_gen_mod(ads, dn_string, mods);
2233 0 : TALLOC_FREE(dn_string);
2234 0 : if (!ADS_ERR_OK(ret)) {
2235 0 : DEBUG(1,("ads_clear_service_principal_names: Error: Updating Service Principals for machine %s in LDAP\n",
2236 : machine_name));
2237 0 : ads_msgfree(ads, res);
2238 0 : talloc_destroy(ctx);
2239 0 : return ret;
2240 : }
2241 :
2242 0 : ads_msgfree(ads, res);
2243 0 : talloc_destroy(ctx);
2244 0 : return ret;
2245 : }
2246 :
2247 : /**
2248 : * @brief Search for an element in a string array.
2249 : *
2250 : * @param[in] el_array The string array to search.
2251 : *
2252 : * @param[in] num_el The number of elements in the string array.
2253 : *
2254 : * @param[in] el The string to search.
2255 : *
2256 : * @return True if found, false if not.
2257 : */
2258 60 : bool ads_element_in_array(const char **el_array, size_t num_el, const char *el)
2259 : {
2260 : size_t i;
2261 :
2262 60 : if (el_array == NULL || num_el == 0 || el == NULL) {
2263 0 : return false;
2264 : }
2265 :
2266 168 : for (i = 0; i < num_el && el_array[i] != NULL; i++) {
2267 : int cmp;
2268 :
2269 160 : cmp = strcasecmp_m(el_array[i], el);
2270 160 : if (cmp == 0) {
2271 52 : return true;
2272 : }
2273 : }
2274 :
2275 8 : return false;
2276 : }
2277 :
2278 : /**
2279 : * @brief This gets the service principal names of an existing computer account.
2280 : *
2281 : * @param[in] mem_ctx The memory context to use to allocate the spn array.
2282 : *
2283 : * @param[in] ads The ADS context to use.
2284 : *
2285 : * @param[in] machine_name The NetBIOS name of the computer, which is used to
2286 : * identify the computer account.
2287 : *
2288 : * @param[in] spn_array A pointer to store the array for SPNs.
2289 : *
2290 : * @param[in] num_spns The number of principals stored in the array.
2291 : *
2292 : * @return 0 on success, or a ADS error if a failure occurred.
2293 : */
2294 26 : ADS_STATUS ads_get_service_principal_names(TALLOC_CTX *mem_ctx,
2295 : ADS_STRUCT *ads,
2296 : const char *machine_name,
2297 : char ***spn_array,
2298 : size_t *num_spns)
2299 : {
2300 : ADS_STATUS status;
2301 26 : LDAPMessage *res = NULL;
2302 : int count;
2303 :
2304 26 : status = ads_find_machine_acct(ads,
2305 : &res,
2306 : machine_name);
2307 26 : if (!ADS_ERR_OK(status)) {
2308 0 : DEBUG(1,("Host Account for %s not found... skipping operation.\n",
2309 : machine_name));
2310 0 : return status;
2311 : }
2312 :
2313 26 : count = ads_count_replies(ads, res);
2314 26 : if (count != 1) {
2315 0 : status = ADS_ERROR(LDAP_NO_SUCH_OBJECT);
2316 0 : goto done;
2317 : }
2318 :
2319 26 : *spn_array = ads_pull_strings(ads,
2320 : mem_ctx,
2321 : res,
2322 : "servicePrincipalName",
2323 : num_spns);
2324 26 : if (*spn_array == NULL) {
2325 0 : DEBUG(1, ("Host account for %s does not have service principal "
2326 : "names.\n",
2327 : machine_name));
2328 0 : status = ADS_ERROR(LDAP_NO_SUCH_OBJECT);
2329 0 : goto done;
2330 : }
2331 :
2332 26 : done:
2333 26 : ads_msgfree(ads, res);
2334 :
2335 26 : return status;
2336 : }
2337 :
2338 : /**
2339 : * This adds a service principal name to an existing computer account
2340 : * (found by hostname) in AD.
2341 : * @param ads An initialized ADS_STRUCT
2342 : * @param machine_name the NetBIOS name of the computer, which is used to identify the computer account.
2343 : * @param spns An array or strings for the service principals to add,
2344 : * i.e. 'cifs/machine_name', 'http/machine.full.domain.com' etc.
2345 : * @return 0 upon sucess, or non-zero if a failure occurs
2346 : **/
2347 :
2348 0 : ADS_STATUS ads_add_service_principal_names(ADS_STRUCT *ads,
2349 : const char *machine_name,
2350 : const char **spns)
2351 : {
2352 : ADS_STATUS ret;
2353 : TALLOC_CTX *ctx;
2354 0 : LDAPMessage *res = NULL;
2355 : ADS_MODLIST mods;
2356 0 : char *dn_string = NULL;
2357 0 : const char **servicePrincipalName = spns;
2358 :
2359 0 : ret = ads_find_machine_acct(ads, &res, machine_name);
2360 0 : if (!ADS_ERR_OK(ret)) {
2361 0 : DEBUG(1,("ads_add_service_principal_name: WARNING: Host Account for %s not found... skipping operation.\n",
2362 : machine_name));
2363 0 : DEBUG(1,("ads_add_service_principal_name: WARNING: Service Principals have NOT been added.\n"));
2364 0 : ads_msgfree(ads, res);
2365 0 : return ret;
2366 : }
2367 :
2368 0 : DEBUG(1,("ads_add_service_principal_name: Host account for %s found\n", machine_name));
2369 0 : if (!(ctx = talloc_init("ads_add_service_principal_name"))) {
2370 0 : ads_msgfree(ads, res);
2371 0 : return ADS_ERROR(LDAP_NO_MEMORY);
2372 : }
2373 :
2374 0 : DEBUG(5,("ads_add_service_principal_name: INFO: "
2375 : "Adding %s to host %s\n",
2376 : spns[0] ? "N/A" : spns[0], machine_name));
2377 :
2378 :
2379 0 : DEBUG(5,("ads_add_service_principal_name: INFO: "
2380 : "Adding %s to host %s\n",
2381 : spns[1] ? "N/A" : spns[1], machine_name));
2382 :
2383 0 : if ( (mods = ads_init_mods(ctx)) == NULL ) {
2384 0 : ret = ADS_ERROR(LDAP_NO_MEMORY);
2385 0 : goto out;
2386 : }
2387 :
2388 0 : ret = ads_add_strlist(ctx,
2389 : &mods,
2390 : "servicePrincipalName",
2391 : servicePrincipalName);
2392 0 : if (!ADS_ERR_OK(ret)) {
2393 0 : DEBUG(1,("ads_add_service_principal_name: Error: Updating Service Principals in LDAP\n"));
2394 0 : goto out;
2395 : }
2396 :
2397 0 : if ( (dn_string = ads_get_dn(ads, ctx, res)) == NULL ) {
2398 0 : ret = ADS_ERROR(LDAP_NO_MEMORY);
2399 0 : goto out;
2400 : }
2401 :
2402 0 : ret = ads_gen_mod(ads, dn_string, mods);
2403 0 : if (!ADS_ERR_OK(ret)) {
2404 0 : DEBUG(1,("ads_add_service_principal_name: Error: Updating Service Principals in LDAP\n"));
2405 0 : goto out;
2406 : }
2407 :
2408 0 : out:
2409 0 : TALLOC_FREE( ctx );
2410 0 : ads_msgfree(ads, res);
2411 0 : return ret;
2412 : }
2413 :
2414 2 : static uint32_t ads_get_acct_ctrl(ADS_STRUCT *ads,
2415 : LDAPMessage *msg)
2416 : {
2417 2 : uint32_t acct_ctrl = 0;
2418 : bool ok;
2419 :
2420 2 : ok = ads_pull_uint32(ads, msg, "userAccountControl", &acct_ctrl);
2421 2 : if (!ok) {
2422 0 : return 0;
2423 : }
2424 :
2425 2 : return acct_ctrl;
2426 : }
2427 :
2428 2 : static ADS_STATUS ads_change_machine_acct(ADS_STRUCT *ads,
2429 : LDAPMessage *msg,
2430 : const struct berval *machine_pw_val)
2431 : {
2432 : ADS_MODLIST mods;
2433 : ADS_STATUS ret;
2434 2 : TALLOC_CTX *frame = talloc_stackframe();
2435 : uint32_t acct_control;
2436 2 : char *control_str = NULL;
2437 2 : const char *attrs[] = {
2438 : "objectSid",
2439 : NULL
2440 : };
2441 2 : LDAPMessage *res = NULL;
2442 2 : char *dn = NULL;
2443 :
2444 2 : dn = ads_get_dn(ads, frame, msg);
2445 2 : if (dn == NULL) {
2446 0 : ret = ADS_ERROR(LDAP_NO_MEMORY);
2447 0 : goto done;
2448 : }
2449 :
2450 2 : acct_control = ads_get_acct_ctrl(ads, msg);
2451 2 : if (acct_control == 0) {
2452 0 : ret = ADS_ERROR(LDAP_NO_RESULTS_RETURNED);
2453 0 : goto done;
2454 : }
2455 :
2456 : /*
2457 : * Changing the password, disables the account. So we need to change the
2458 : * userAccountControl flags to enable it again.
2459 : */
2460 2 : mods = ads_init_mods(frame);
2461 2 : if (mods == NULL) {
2462 0 : ret = ADS_ERROR_LDAP(LDAP_NO_MEMORY);
2463 0 : goto done;
2464 : }
2465 :
2466 2 : ads_mod_ber(frame, &mods, "unicodePwd", machine_pw_val);
2467 :
2468 2 : ret = ads_gen_mod(ads, dn, mods);
2469 2 : if (!ADS_ERR_OK(ret)) {
2470 0 : goto done;
2471 : }
2472 2 : TALLOC_FREE(mods);
2473 :
2474 : /*
2475 : * To activate the account, we need to disable and enable it.
2476 : */
2477 2 : acct_control |= UF_ACCOUNTDISABLE;
2478 :
2479 2 : control_str = talloc_asprintf(frame, "%u", acct_control);
2480 2 : if (control_str == NULL) {
2481 0 : ret = ADS_ERROR(LDAP_NO_MEMORY);
2482 0 : goto done;
2483 : }
2484 :
2485 2 : mods = ads_init_mods(frame);
2486 2 : if (mods == NULL) {
2487 0 : ret = ADS_ERROR_LDAP(LDAP_NO_MEMORY);
2488 0 : goto done;
2489 : }
2490 :
2491 2 : ads_mod_str(frame, &mods, "userAccountControl", control_str);
2492 :
2493 2 : ret = ads_gen_mod(ads, dn, mods);
2494 2 : if (!ADS_ERR_OK(ret)) {
2495 0 : goto done;
2496 : }
2497 2 : TALLOC_FREE(mods);
2498 2 : TALLOC_FREE(control_str);
2499 :
2500 : /*
2501 : * Enable the account again.
2502 : */
2503 2 : acct_control &= ~UF_ACCOUNTDISABLE;
2504 :
2505 2 : control_str = talloc_asprintf(frame, "%u", acct_control);
2506 2 : if (control_str == NULL) {
2507 0 : ret = ADS_ERROR(LDAP_NO_MEMORY);
2508 0 : goto done;
2509 : }
2510 :
2511 2 : mods = ads_init_mods(frame);
2512 2 : if (mods == NULL) {
2513 0 : ret = ADS_ERROR_LDAP(LDAP_NO_MEMORY);
2514 0 : goto done;
2515 : }
2516 :
2517 2 : ads_mod_str(frame, &mods, "userAccountControl", control_str);
2518 :
2519 2 : ret = ads_gen_mod(ads, dn, mods);
2520 2 : if (!ADS_ERR_OK(ret)) {
2521 0 : goto done;
2522 : }
2523 2 : TALLOC_FREE(mods);
2524 2 : TALLOC_FREE(control_str);
2525 :
2526 2 : ret = ads_search_dn(ads, &res, dn, attrs);
2527 2 : ads_msgfree(ads, res);
2528 :
2529 2 : done:
2530 2 : talloc_free(frame);
2531 :
2532 2 : return ret;
2533 : }
2534 :
2535 : /**
2536 : * adds a machine account to the ADS server
2537 : * @param ads An intialized ADS_STRUCT
2538 : * @param machine_name - the NetBIOS machine name of this account.
2539 : * @param account_type A number indicating the type of account to create
2540 : * @param org_unit The LDAP path in which to place this account
2541 : * @return 0 upon success, or non-zero otherwise
2542 : **/
2543 :
2544 26 : ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads,
2545 : const char *machine_name,
2546 : const char *machine_password,
2547 : const char *org_unit,
2548 : uint32_t etype_list,
2549 : const char *dns_domain_name)
2550 : {
2551 : ADS_STATUS ret;
2552 26 : char *samAccountName = NULL;
2553 26 : char *controlstr = NULL;
2554 26 : TALLOC_CTX *ctx = NULL;
2555 : ADS_MODLIST mods;
2556 26 : char *machine_escaped = NULL;
2557 26 : char *dns_hostname = NULL;
2558 26 : char *new_dn = NULL;
2559 26 : char *utf8_pw = NULL;
2560 26 : size_t utf8_pw_len = 0;
2561 26 : char *utf16_pw = NULL;
2562 26 : size_t utf16_pw_len = 0;
2563 : struct berval machine_pw_val;
2564 : bool ok;
2565 26 : const char **spn_array = NULL;
2566 26 : size_t num_spns = 0;
2567 26 : const char *spn_prefix[] = {
2568 : "HOST",
2569 : "RestrictedKrbHost",
2570 : };
2571 : size_t i;
2572 26 : LDAPMessage *res = NULL;
2573 26 : uint32_t acct_control = UF_WORKSTATION_TRUST_ACCOUNT;
2574 :
2575 26 : ctx = talloc_init("ads_add_machine_acct");
2576 26 : if (ctx == NULL) {
2577 0 : return ADS_ERROR(LDAP_NO_MEMORY);
2578 : }
2579 :
2580 26 : machine_escaped = escape_rdn_val_string_alloc(machine_name);
2581 26 : if (machine_escaped == NULL) {
2582 0 : ret = ADS_ERROR(LDAP_NO_MEMORY);
2583 0 : goto done;
2584 : }
2585 :
2586 26 : utf8_pw = talloc_asprintf(ctx, "\"%s\"", machine_password);
2587 26 : if (utf8_pw == NULL) {
2588 0 : ret = ADS_ERROR(LDAP_NO_MEMORY);
2589 0 : goto done;
2590 : }
2591 26 : utf8_pw_len = strlen(utf8_pw);
2592 :
2593 26 : ok = convert_string_talloc(ctx,
2594 : CH_UTF8, CH_UTF16MUNGED,
2595 : utf8_pw, utf8_pw_len,
2596 : (void *)&utf16_pw, &utf16_pw_len);
2597 26 : if (!ok) {
2598 0 : ret = ADS_ERROR(LDAP_NO_MEMORY);
2599 0 : goto done;
2600 : }
2601 :
2602 26 : machine_pw_val = (struct berval) {
2603 : .bv_val = utf16_pw,
2604 : .bv_len = utf16_pw_len,
2605 : };
2606 :
2607 : /* Check if the machine account already exists. */
2608 26 : ret = ads_find_machine_acct(ads, &res, machine_escaped);
2609 26 : if (ADS_ERR_OK(ret)) {
2610 : /* Change the machine account password */
2611 2 : ret = ads_change_machine_acct(ads, res, &machine_pw_val);
2612 2 : ads_msgfree(ads, res);
2613 :
2614 2 : goto done;
2615 : }
2616 24 : ads_msgfree(ads, res);
2617 :
2618 24 : new_dn = talloc_asprintf(ctx, "cn=%s,%s", machine_escaped, org_unit);
2619 24 : if (new_dn == NULL) {
2620 0 : ret = ADS_ERROR(LDAP_NO_MEMORY);
2621 0 : goto done;
2622 : }
2623 :
2624 : /* Create machine account */
2625 :
2626 24 : samAccountName = talloc_asprintf(ctx, "%s$", machine_name);
2627 24 : if (samAccountName == NULL) {
2628 0 : ret = ADS_ERROR(LDAP_NO_MEMORY);
2629 0 : goto done;
2630 : }
2631 :
2632 24 : dns_hostname = talloc_asprintf(ctx,
2633 : "%s.%s",
2634 : machine_name,
2635 : dns_domain_name);
2636 24 : if (dns_hostname == NULL) {
2637 0 : ret = ADS_ERROR(LDAP_NO_MEMORY);
2638 0 : goto done;
2639 : }
2640 :
2641 : /* Add dns_hostname SPNs */
2642 72 : for (i = 0; i < ARRAY_SIZE(spn_prefix); i++) {
2643 48 : char *spn = talloc_asprintf(ctx,
2644 : "%s/%s",
2645 : spn_prefix[i],
2646 : dns_hostname);
2647 48 : if (spn == NULL) {
2648 0 : ret = ADS_ERROR(LDAP_NO_MEMORY);
2649 0 : goto done;
2650 : }
2651 :
2652 48 : ok = add_string_to_array(spn_array,
2653 : spn,
2654 : &spn_array,
2655 : &num_spns);
2656 48 : if (!ok) {
2657 0 : ret = ADS_ERROR(LDAP_NO_MEMORY);
2658 0 : goto done;
2659 : }
2660 : }
2661 :
2662 : /* Add machine_name SPNs */
2663 72 : for (i = 0; i < ARRAY_SIZE(spn_prefix); i++) {
2664 48 : char *spn = talloc_asprintf(ctx,
2665 : "%s/%s",
2666 : spn_prefix[i],
2667 : machine_name);
2668 48 : if (spn == NULL) {
2669 0 : ret = ADS_ERROR(LDAP_NO_MEMORY);
2670 0 : goto done;
2671 : }
2672 :
2673 48 : ok = add_string_to_array(spn_array,
2674 : spn,
2675 : &spn_array,
2676 : &num_spns);
2677 48 : if (!ok) {
2678 0 : ret = ADS_ERROR(LDAP_NO_MEMORY);
2679 0 : goto done;
2680 : }
2681 : }
2682 :
2683 : /* Make sure to NULL terminate the array */
2684 24 : spn_array = talloc_realloc(ctx, spn_array, const char *, num_spns + 1);
2685 24 : if (spn_array == NULL) {
2686 0 : ret = ADS_ERROR(LDAP_NO_MEMORY);
2687 0 : goto done;
2688 : }
2689 24 : spn_array[num_spns] = NULL;
2690 :
2691 24 : controlstr = talloc_asprintf(ctx, "%u", acct_control);
2692 24 : if (controlstr == NULL) {
2693 0 : ret = ADS_ERROR(LDAP_NO_MEMORY);
2694 0 : goto done;
2695 : }
2696 :
2697 24 : mods = ads_init_mods(ctx);
2698 24 : if (mods == NULL) {
2699 0 : ret = ADS_ERROR(LDAP_NO_MEMORY);
2700 0 : goto done;
2701 : }
2702 :
2703 24 : ads_mod_str(ctx, &mods, "objectClass", "Computer");
2704 24 : ads_mod_str(ctx, &mods, "SamAccountName", samAccountName);
2705 24 : ads_mod_str(ctx, &mods, "userAccountControl", controlstr);
2706 24 : ads_mod_str(ctx, &mods, "DnsHostName", dns_hostname);
2707 24 : ads_mod_strlist(ctx, &mods, "ServicePrincipalName", spn_array);
2708 24 : ads_mod_ber(ctx, &mods, "unicodePwd", &machine_pw_val);
2709 :
2710 24 : ret = ads_gen_add(ads, new_dn, mods);
2711 :
2712 26 : done:
2713 26 : SAFE_FREE(machine_escaped);
2714 26 : talloc_destroy(ctx);
2715 :
2716 26 : return ret;
2717 : }
2718 :
2719 : /**
2720 : * move a machine account to another OU on the ADS server
2721 : * @param ads - An intialized ADS_STRUCT
2722 : * @param machine_name - the NetBIOS machine name of this account.
2723 : * @param org_unit - The LDAP path in which to place this account
2724 : * @param moved - whether we moved the machine account (optional)
2725 : * @return 0 upon success, or non-zero otherwise
2726 : **/
2727 :
2728 0 : ADS_STATUS ads_move_machine_acct(ADS_STRUCT *ads, const char *machine_name,
2729 : const char *org_unit, bool *moved)
2730 : {
2731 : ADS_STATUS rc;
2732 : int ldap_status;
2733 0 : LDAPMessage *res = NULL;
2734 0 : char *filter = NULL;
2735 0 : char *computer_dn = NULL;
2736 : char *parent_dn;
2737 0 : char *computer_rdn = NULL;
2738 0 : bool need_move = False;
2739 :
2740 0 : if (asprintf(&filter, "(samAccountName=%s$)", machine_name) == -1) {
2741 0 : rc = ADS_ERROR(LDAP_NO_MEMORY);
2742 0 : goto done;
2743 : }
2744 :
2745 : /* Find pre-existing machine */
2746 0 : rc = ads_search(ads, &res, filter, NULL);
2747 0 : if (!ADS_ERR_OK(rc)) {
2748 0 : goto done;
2749 : }
2750 :
2751 0 : computer_dn = ads_get_dn(ads, talloc_tos(), res);
2752 0 : if (!computer_dn) {
2753 0 : rc = ADS_ERROR(LDAP_NO_MEMORY);
2754 0 : goto done;
2755 : }
2756 :
2757 0 : parent_dn = ads_parent_dn(computer_dn);
2758 0 : if (strequal(parent_dn, org_unit)) {
2759 0 : goto done;
2760 : }
2761 :
2762 0 : need_move = True;
2763 :
2764 0 : if (asprintf(&computer_rdn, "CN=%s", machine_name) == -1) {
2765 0 : rc = ADS_ERROR(LDAP_NO_MEMORY);
2766 0 : goto done;
2767 : }
2768 :
2769 0 : ldap_status = ldap_rename_s(ads->ldap.ld, computer_dn, computer_rdn,
2770 : org_unit, 1, NULL, NULL);
2771 0 : rc = ADS_ERROR(ldap_status);
2772 :
2773 0 : done:
2774 0 : ads_msgfree(ads, res);
2775 0 : SAFE_FREE(filter);
2776 0 : TALLOC_FREE(computer_dn);
2777 0 : SAFE_FREE(computer_rdn);
2778 :
2779 0 : if (!ADS_ERR_OK(rc)) {
2780 0 : need_move = False;
2781 : }
2782 :
2783 0 : if (moved) {
2784 0 : *moved = need_move;
2785 : }
2786 :
2787 0 : return rc;
2788 : }
2789 :
2790 : /*
2791 : dump a binary result from ldap
2792 : */
2793 0 : static void dump_binary(ADS_STRUCT *ads, const char *field, struct berval **values)
2794 : {
2795 : size_t i;
2796 0 : for (i=0; values[i]; i++) {
2797 : ber_len_t j;
2798 0 : printf("%s: ", field);
2799 0 : for (j=0; j<values[i]->bv_len; j++) {
2800 0 : printf("%02X", (unsigned char)values[i]->bv_val[j]);
2801 : }
2802 0 : printf("\n");
2803 : }
2804 0 : }
2805 :
2806 0 : static void dump_guid(ADS_STRUCT *ads, const char *field, struct berval **values)
2807 : {
2808 : int i;
2809 0 : for (i=0; values[i]; i++) {
2810 : NTSTATUS status;
2811 0 : DATA_BLOB in = data_blob_const(values[i]->bv_val, values[i]->bv_len);
2812 : struct GUID guid;
2813 :
2814 0 : status = GUID_from_ndr_blob(&in, &guid);
2815 0 : if (NT_STATUS_IS_OK(status)) {
2816 0 : printf("%s: %s\n", field, GUID_string(talloc_tos(), &guid));
2817 : } else {
2818 0 : printf("%s: INVALID GUID\n", field);
2819 : }
2820 : }
2821 0 : }
2822 :
2823 : /*
2824 : dump a sid result from ldap
2825 : */
2826 0 : static void dump_sid(ADS_STRUCT *ads, const char *field, struct berval **values)
2827 : {
2828 : int i;
2829 0 : for (i=0; values[i]; i++) {
2830 : ssize_t ret;
2831 : struct dom_sid sid;
2832 : struct dom_sid_buf tmp;
2833 0 : ret = sid_parse((const uint8_t *)values[i]->bv_val,
2834 0 : values[i]->bv_len, &sid);
2835 0 : if (ret == -1) {
2836 0 : return;
2837 : }
2838 0 : printf("%s: %s\n", field, dom_sid_str_buf(&sid, &tmp));
2839 : }
2840 : }
2841 :
2842 : /*
2843 : dump ntSecurityDescriptor
2844 : */
2845 0 : static void dump_sd(ADS_STRUCT *ads, const char *filed, struct berval **values)
2846 : {
2847 0 : TALLOC_CTX *frame = talloc_stackframe();
2848 : struct security_descriptor *psd;
2849 : NTSTATUS status;
2850 :
2851 0 : status = unmarshall_sec_desc(talloc_tos(), (uint8_t *)values[0]->bv_val,
2852 0 : values[0]->bv_len, &psd);
2853 0 : if (!NT_STATUS_IS_OK(status)) {
2854 0 : DEBUG(0, ("unmarshall_sec_desc failed: %s\n",
2855 : nt_errstr(status)));
2856 0 : TALLOC_FREE(frame);
2857 0 : return;
2858 : }
2859 :
2860 0 : if (psd) {
2861 0 : ads_disp_sd(ads, talloc_tos(), psd);
2862 : }
2863 :
2864 0 : TALLOC_FREE(frame);
2865 : }
2866 :
2867 : /*
2868 : dump a string result from ldap
2869 : */
2870 51 : static void dump_string(const char *field, char **values)
2871 : {
2872 : int i;
2873 102 : for (i=0; values[i]; i++) {
2874 51 : printf("%s: %s\n", field, values[i]);
2875 : }
2876 51 : }
2877 :
2878 : /*
2879 : dump a field from LDAP on stdout
2880 : used for debugging
2881 : */
2882 :
2883 153 : static bool ads_dump_field(ADS_STRUCT *ads, char *field, void **values, void *data_area)
2884 : {
2885 : const struct {
2886 : const char *name;
2887 : bool string;
2888 : void (*handler)(ADS_STRUCT *, const char *, struct berval **);
2889 153 : } handlers[] = {
2890 : {"objectGUID", False, dump_guid},
2891 : {"netbootGUID", False, dump_guid},
2892 : {"nTSecurityDescriptor", False, dump_sd},
2893 : {"dnsRecord", False, dump_binary},
2894 : {"objectSid", False, dump_sid},
2895 : {"tokenGroups", False, dump_sid},
2896 : {"tokenGroupsNoGCAcceptable", False, dump_sid},
2897 : {"tokengroupsGlobalandUniversal", False, dump_sid},
2898 : {"mS-DS-CreatorSID", False, dump_sid},
2899 : {"msExchMailboxGuid", False, dump_guid},
2900 : {NULL, True, NULL}
2901 : };
2902 : int i;
2903 :
2904 153 : if (!field) { /* must be end of an entry */
2905 51 : printf("\n");
2906 51 : return False;
2907 : }
2908 :
2909 1122 : for (i=0; handlers[i].name; i++) {
2910 1020 : if (strcasecmp_m(handlers[i].name, field) == 0) {
2911 0 : if (!values) /* first time, indicate string or not */
2912 0 : return handlers[i].string;
2913 0 : handlers[i].handler(ads, field, (struct berval **) values);
2914 0 : break;
2915 : }
2916 : }
2917 102 : if (!handlers[i].name) {
2918 102 : if (!values) /* first time, indicate string conversion */
2919 51 : return True;
2920 51 : dump_string(field, (char **)values);
2921 : }
2922 51 : return False;
2923 : }
2924 :
2925 : /**
2926 : * Dump a result from LDAP on stdout
2927 : * used for debugging
2928 : * @param ads connection to ads server
2929 : * @param res Results to dump
2930 : **/
2931 :
2932 13 : void ads_dump(ADS_STRUCT *ads, LDAPMessage *res)
2933 : {
2934 13 : ads_process_results(ads, res, ads_dump_field, NULL);
2935 13 : }
2936 :
2937 : /**
2938 : * Walk through results, calling a function for each entry found.
2939 : * The function receives a field name, a berval * array of values,
2940 : * and a data area passed through from the start. The function is
2941 : * called once with null for field and values at the end of each
2942 : * entry.
2943 : * @param ads connection to ads server
2944 : * @param res Results to process
2945 : * @param fn Function for processing each result
2946 : * @param data_area user-defined area to pass to function
2947 : **/
2948 13 : void ads_process_results(ADS_STRUCT *ads, LDAPMessage *res,
2949 : bool (*fn)(ADS_STRUCT *, char *, void **, void *),
2950 : void *data_area)
2951 : {
2952 : LDAPMessage *msg;
2953 : TALLOC_CTX *ctx;
2954 : size_t converted_size;
2955 :
2956 13 : if (!(ctx = talloc_init("ads_process_results")))
2957 0 : return;
2958 :
2959 64 : for (msg = ads_first_entry(ads, res); msg;
2960 51 : msg = ads_next_entry(ads, msg)) {
2961 : char *utf8_field;
2962 : BerElement *b;
2963 :
2964 51 : for (utf8_field=ldap_first_attribute(ads->ldap.ld,
2965 : (LDAPMessage *)msg,&b);
2966 102 : utf8_field;
2967 51 : utf8_field=ldap_next_attribute(ads->ldap.ld,
2968 : (LDAPMessage *)msg,b)) {
2969 : struct berval **ber_vals;
2970 : char **str_vals;
2971 : char **utf8_vals;
2972 : char *field;
2973 : bool string;
2974 :
2975 51 : if (!pull_utf8_talloc(ctx, &field, utf8_field,
2976 : &converted_size))
2977 : {
2978 0 : DEBUG(0,("ads_process_results: "
2979 : "pull_utf8_talloc failed: %s",
2980 : strerror(errno)));
2981 : }
2982 :
2983 51 : string = fn(ads, field, NULL, data_area);
2984 :
2985 51 : if (string) {
2986 : const char **p;
2987 :
2988 51 : utf8_vals = ldap_get_values(ads->ldap.ld,
2989 : (LDAPMessage *)msg, field);
2990 51 : p = discard_const_p(const char *, utf8_vals);
2991 51 : str_vals = ads_pull_strvals(ctx, p);
2992 51 : fn(ads, field, (void **) str_vals, data_area);
2993 51 : ldap_value_free(utf8_vals);
2994 : } else {
2995 0 : ber_vals = ldap_get_values_len(ads->ldap.ld,
2996 : (LDAPMessage *)msg, field);
2997 0 : fn(ads, field, (void **) ber_vals, data_area);
2998 :
2999 0 : ldap_value_free_len(ber_vals);
3000 : }
3001 51 : ldap_memfree(utf8_field);
3002 : }
3003 51 : ber_free(b, 0);
3004 51 : talloc_free_children(ctx);
3005 51 : fn(ads, NULL, NULL, data_area); /* completed an entry */
3006 :
3007 : }
3008 13 : talloc_destroy(ctx);
3009 : }
3010 :
3011 : /**
3012 : * count how many replies are in a LDAPMessage
3013 : * @param ads connection to ads server
3014 : * @param res Results to count
3015 : * @return number of replies
3016 : **/
3017 305 : int ads_count_replies(ADS_STRUCT *ads, void *res)
3018 : {
3019 305 : return ldap_count_entries(ads->ldap.ld, (LDAPMessage *)res);
3020 : }
3021 :
3022 : /**
3023 : * pull the first entry from a ADS result
3024 : * @param ads connection to ads server
3025 : * @param res Results of search
3026 : * @return first entry from result
3027 : **/
3028 13 : LDAPMessage *ads_first_entry(ADS_STRUCT *ads, LDAPMessage *res)
3029 : {
3030 13 : return ldap_first_entry(ads->ldap.ld, res);
3031 : }
3032 :
3033 : /**
3034 : * pull the next entry from a ADS result
3035 : * @param ads connection to ads server
3036 : * @param res Results of search
3037 : * @return next entry from result
3038 : **/
3039 51 : LDAPMessage *ads_next_entry(ADS_STRUCT *ads, LDAPMessage *res)
3040 : {
3041 51 : return ldap_next_entry(ads->ldap.ld, res);
3042 : }
3043 :
3044 : /**
3045 : * pull the first message from a ADS result
3046 : * @param ads connection to ads server
3047 : * @param res Results of search
3048 : * @return first message from result
3049 : **/
3050 0 : LDAPMessage *ads_first_message(ADS_STRUCT *ads, LDAPMessage *res)
3051 : {
3052 0 : return ldap_first_message(ads->ldap.ld, res);
3053 : }
3054 :
3055 : /**
3056 : * pull the next message from a ADS result
3057 : * @param ads connection to ads server
3058 : * @param res Results of search
3059 : * @return next message from result
3060 : **/
3061 0 : LDAPMessage *ads_next_message(ADS_STRUCT *ads, LDAPMessage *res)
3062 : {
3063 0 : return ldap_next_message(ads->ldap.ld, res);
3064 : }
3065 :
3066 : /**
3067 : * pull a single string from a ADS result
3068 : * @param ads connection to ads server
3069 : * @param mem_ctx TALLOC_CTX to use for allocating result string
3070 : * @param msg Results of search
3071 : * @param field Attribute to retrieve
3072 : * @return Result string in talloc context
3073 : **/
3074 99 : char *ads_pull_string(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, LDAPMessage *msg,
3075 : const char *field)
3076 : {
3077 : char **values;
3078 99 : char *ret = NULL;
3079 : char *ux_string;
3080 : size_t converted_size;
3081 :
3082 99 : values = ldap_get_values(ads->ldap.ld, msg, field);
3083 99 : if (!values)
3084 2 : return NULL;
3085 :
3086 97 : if (values[0] && pull_utf8_talloc(mem_ctx, &ux_string, values[0],
3087 : &converted_size))
3088 : {
3089 97 : ret = ux_string;
3090 : }
3091 97 : ldap_value_free(values);
3092 97 : return ret;
3093 : }
3094 :
3095 : /**
3096 : * pull an array of strings from a ADS result
3097 : * @param ads connection to ads server
3098 : * @param mem_ctx TALLOC_CTX to use for allocating result string
3099 : * @param msg Results of search
3100 : * @param field Attribute to retrieve
3101 : * @return Result strings in talloc context
3102 : **/
3103 26 : char **ads_pull_strings(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx,
3104 : LDAPMessage *msg, const char *field,
3105 : size_t *num_values)
3106 : {
3107 : char **values;
3108 26 : char **ret = NULL;
3109 : size_t i, converted_size;
3110 :
3111 26 : values = ldap_get_values(ads->ldap.ld, msg, field);
3112 26 : if (!values)
3113 0 : return NULL;
3114 :
3115 26 : *num_values = ldap_count_values(values);
3116 :
3117 26 : ret = talloc_array(mem_ctx, char *, *num_values + 1);
3118 26 : if (!ret) {
3119 0 : ldap_value_free(values);
3120 0 : return NULL;
3121 : }
3122 :
3123 130 : for (i=0;i<*num_values;i++) {
3124 104 : if (!pull_utf8_talloc(mem_ctx, &ret[i], values[i],
3125 : &converted_size))
3126 : {
3127 0 : ldap_value_free(values);
3128 0 : return NULL;
3129 : }
3130 : }
3131 26 : ret[i] = NULL;
3132 :
3133 26 : ldap_value_free(values);
3134 26 : return ret;
3135 : }
3136 :
3137 : /**
3138 : * pull an array of strings from a ADS result
3139 : * (handle large multivalue attributes with range retrieval)
3140 : * @param ads connection to ads server
3141 : * @param mem_ctx TALLOC_CTX to use for allocating result string
3142 : * @param msg Results of search
3143 : * @param field Attribute to retrieve
3144 : * @param current_strings strings returned by a previous call to this function
3145 : * @param next_attribute The next query should ask for this attribute
3146 : * @param num_values How many values did we get this time?
3147 : * @param more_values Are there more values to get?
3148 : * @return Result strings in talloc context
3149 : **/
3150 0 : char **ads_pull_strings_range(ADS_STRUCT *ads,
3151 : TALLOC_CTX *mem_ctx,
3152 : LDAPMessage *msg, const char *field,
3153 : char **current_strings,
3154 : const char **next_attribute,
3155 : size_t *num_strings,
3156 : bool *more_strings)
3157 : {
3158 : char *attr;
3159 : char *expected_range_attrib, *range_attr;
3160 0 : BerElement *ptr = NULL;
3161 : char **strings;
3162 : char **new_strings;
3163 : size_t num_new_strings;
3164 : unsigned long int range_start;
3165 : unsigned long int range_end;
3166 :
3167 : /* we might have been given the whole lot anyway */
3168 0 : if ((strings = ads_pull_strings(ads, mem_ctx, msg, field, num_strings))) {
3169 0 : *more_strings = False;
3170 0 : return strings;
3171 : }
3172 :
3173 0 : expected_range_attrib = talloc_asprintf(mem_ctx, "%s;Range=", field);
3174 :
3175 : /* look for Range result */
3176 0 : for (attr = ldap_first_attribute(ads->ldap.ld, (LDAPMessage *)msg, &ptr);
3177 0 : attr;
3178 0 : attr = ldap_next_attribute(ads->ldap.ld, (LDAPMessage *)msg, ptr)) {
3179 : /* we ignore the fact that this is utf8, as all attributes are ascii... */
3180 0 : if (strnequal(attr, expected_range_attrib, strlen(expected_range_attrib))) {
3181 0 : range_attr = attr;
3182 0 : break;
3183 : }
3184 0 : ldap_memfree(attr);
3185 : }
3186 0 : if (!attr) {
3187 0 : ber_free(ptr, 0);
3188 : /* nothing here - this field is just empty */
3189 0 : *more_strings = False;
3190 0 : return NULL;
3191 : }
3192 :
3193 0 : if (sscanf(&range_attr[strlen(expected_range_attrib)], "%lu-%lu",
3194 : &range_start, &range_end) == 2) {
3195 0 : *more_strings = True;
3196 : } else {
3197 0 : if (sscanf(&range_attr[strlen(expected_range_attrib)], "%lu-*",
3198 : &range_start) == 1) {
3199 0 : *more_strings = False;
3200 : } else {
3201 0 : DEBUG(1, ("ads_pull_strings_range: Cannot parse Range attriubte (%s)\n",
3202 : range_attr));
3203 0 : ldap_memfree(range_attr);
3204 0 : *more_strings = False;
3205 0 : return NULL;
3206 : }
3207 : }
3208 :
3209 0 : if ((*num_strings) != range_start) {
3210 0 : DEBUG(1, ("ads_pull_strings_range: Range attribute (%s) doesn't start at %u, but at %lu"
3211 : " - aborting range retreival\n",
3212 : range_attr, (unsigned int)(*num_strings) + 1, range_start));
3213 0 : ldap_memfree(range_attr);
3214 0 : *more_strings = False;
3215 0 : return NULL;
3216 : }
3217 :
3218 0 : new_strings = ads_pull_strings(ads, mem_ctx, msg, range_attr, &num_new_strings);
3219 :
3220 0 : if (*more_strings && ((*num_strings + num_new_strings) != (range_end + 1))) {
3221 0 : DEBUG(1, ("ads_pull_strings_range: Range attribute (%s) tells us we have %lu "
3222 : "strings in this bunch, but we only got %lu - aborting range retreival\n",
3223 : range_attr, (unsigned long int)range_end - range_start + 1,
3224 : (unsigned long int)num_new_strings));
3225 0 : ldap_memfree(range_attr);
3226 0 : *more_strings = False;
3227 0 : return NULL;
3228 : }
3229 :
3230 0 : strings = talloc_realloc(mem_ctx, current_strings, char *,
3231 : *num_strings + num_new_strings);
3232 :
3233 0 : if (strings == NULL) {
3234 0 : ldap_memfree(range_attr);
3235 0 : *more_strings = False;
3236 0 : return NULL;
3237 : }
3238 :
3239 0 : if (new_strings && num_new_strings) {
3240 0 : memcpy(&strings[*num_strings], new_strings,
3241 : sizeof(*new_strings) * num_new_strings);
3242 : }
3243 :
3244 0 : (*num_strings) += num_new_strings;
3245 :
3246 0 : if (*more_strings) {
3247 0 : *next_attribute = talloc_asprintf(mem_ctx,
3248 : "%s;range=%d-*",
3249 : field,
3250 0 : (int)*num_strings);
3251 :
3252 0 : if (!*next_attribute) {
3253 0 : DEBUG(1, ("talloc_asprintf for next attribute failed!\n"));
3254 0 : ldap_memfree(range_attr);
3255 0 : *more_strings = False;
3256 0 : return NULL;
3257 : }
3258 : }
3259 :
3260 0 : ldap_memfree(range_attr);
3261 :
3262 0 : return strings;
3263 : }
3264 :
3265 : /**
3266 : * pull a single uint32_t from a ADS result
3267 : * @param ads connection to ads server
3268 : * @param msg Results of search
3269 : * @param field Attribute to retrieve
3270 : * @param v Pointer to int to store result
3271 : * @return boolean inidicating success
3272 : */
3273 126 : bool ads_pull_uint32(ADS_STRUCT *ads, LDAPMessage *msg, const char *field,
3274 : uint32_t *v)
3275 : {
3276 : char **values;
3277 :
3278 126 : values = ldap_get_values(ads->ldap.ld, msg, field);
3279 126 : if (!values)
3280 70 : return False;
3281 56 : if (!values[0]) {
3282 0 : ldap_value_free(values);
3283 0 : return False;
3284 : }
3285 :
3286 56 : *v = atoi(values[0]);
3287 56 : ldap_value_free(values);
3288 56 : return True;
3289 : }
3290 :
3291 : /**
3292 : * pull a single objectGUID from an ADS result
3293 : * @param ads connection to ADS server
3294 : * @param msg results of search
3295 : * @param guid 37-byte area to receive text guid
3296 : * @return boolean indicating success
3297 : **/
3298 0 : bool ads_pull_guid(ADS_STRUCT *ads, LDAPMessage *msg, struct GUID *guid)
3299 : {
3300 : DATA_BLOB blob;
3301 : NTSTATUS status;
3302 :
3303 0 : if (!smbldap_talloc_single_blob(talloc_tos(), ads->ldap.ld, msg, "objectGUID",
3304 : &blob)) {
3305 0 : return false;
3306 : }
3307 :
3308 0 : status = GUID_from_ndr_blob(&blob, guid);
3309 0 : talloc_free(blob.data);
3310 0 : return NT_STATUS_IS_OK(status);
3311 : }
3312 :
3313 :
3314 : /**
3315 : * pull a single struct dom_sid from a ADS result
3316 : * @param ads connection to ads server
3317 : * @param msg Results of search
3318 : * @param field Attribute to retrieve
3319 : * @param sid Pointer to sid to store result
3320 : * @return boolean inidicating success
3321 : */
3322 74 : bool ads_pull_sid(ADS_STRUCT *ads, LDAPMessage *msg, const char *field,
3323 : struct dom_sid *sid)
3324 : {
3325 74 : return smbldap_pull_sid(ads->ldap.ld, msg, field, sid);
3326 : }
3327 :
3328 : /**
3329 : * pull an array of struct dom_sids from a ADS result
3330 : * @param ads connection to ads server
3331 : * @param mem_ctx TALLOC_CTX for allocating sid array
3332 : * @param msg Results of search
3333 : * @param field Attribute to retrieve
3334 : * @param sids pointer to sid array to allocate
3335 : * @return the count of SIDs pulled
3336 : **/
3337 0 : int ads_pull_sids(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx,
3338 : LDAPMessage *msg, const char *field, struct dom_sid **sids)
3339 : {
3340 : struct berval **values;
3341 : int count, i;
3342 :
3343 0 : values = ldap_get_values_len(ads->ldap.ld, msg, field);
3344 :
3345 0 : if (!values)
3346 0 : return 0;
3347 :
3348 0 : for (i=0; values[i]; i++)
3349 : /* nop */ ;
3350 :
3351 0 : if (i) {
3352 0 : (*sids) = talloc_array(mem_ctx, struct dom_sid, i);
3353 0 : if (!(*sids)) {
3354 0 : ldap_value_free_len(values);
3355 0 : return 0;
3356 : }
3357 : } else {
3358 0 : (*sids) = NULL;
3359 : }
3360 :
3361 0 : count = 0;
3362 0 : for (i=0; values[i]; i++) {
3363 : ssize_t ret;
3364 0 : ret = sid_parse((const uint8_t *)values[i]->bv_val,
3365 0 : values[i]->bv_len, &(*sids)[count]);
3366 0 : if (ret != -1) {
3367 : struct dom_sid_buf buf;
3368 0 : DBG_DEBUG("pulling SID: %s\n",
3369 : dom_sid_str_buf(&(*sids)[count], &buf));
3370 0 : count++;
3371 : }
3372 : }
3373 :
3374 0 : ldap_value_free_len(values);
3375 0 : return count;
3376 : }
3377 :
3378 : /**
3379 : * pull a struct security_descriptor from a ADS result
3380 : * @param ads connection to ads server
3381 : * @param mem_ctx TALLOC_CTX for allocating sid array
3382 : * @param msg Results of search
3383 : * @param field Attribute to retrieve
3384 : * @param sd Pointer to *struct security_descriptor to store result (talloc()ed)
3385 : * @return boolean inidicating success
3386 : */
3387 0 : bool ads_pull_sd(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx,
3388 : LDAPMessage *msg, const char *field,
3389 : struct security_descriptor **sd)
3390 : {
3391 : struct berval **values;
3392 0 : bool ret = true;
3393 :
3394 0 : values = ldap_get_values_len(ads->ldap.ld, msg, field);
3395 :
3396 0 : if (!values) return false;
3397 :
3398 0 : if (values[0]) {
3399 : NTSTATUS status;
3400 0 : status = unmarshall_sec_desc(mem_ctx,
3401 0 : (uint8_t *)values[0]->bv_val,
3402 0 : values[0]->bv_len, sd);
3403 0 : if (!NT_STATUS_IS_OK(status)) {
3404 0 : DEBUG(0, ("unmarshall_sec_desc failed: %s\n",
3405 : nt_errstr(status)));
3406 0 : ret = false;
3407 : }
3408 : }
3409 :
3410 0 : ldap_value_free_len(values);
3411 0 : return ret;
3412 : }
3413 :
3414 : /*
3415 : * in order to support usernames longer than 21 characters we need to
3416 : * use both the sAMAccountName and the userPrincipalName attributes
3417 : * It seems that not all users have the userPrincipalName attribute set
3418 : *
3419 : * @param ads connection to ads server
3420 : * @param mem_ctx TALLOC_CTX for allocating sid array
3421 : * @param msg Results of search
3422 : * @return the username
3423 : */
3424 0 : char *ads_pull_username(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx,
3425 : LDAPMessage *msg)
3426 : {
3427 : #if 0 /* JERRY */
3428 : char *ret, *p;
3429 :
3430 : /* lookup_name() only works on the sAMAccountName to
3431 : returning the username portion of userPrincipalName
3432 : breaks winbindd_getpwnam() */
3433 :
3434 : ret = ads_pull_string(ads, mem_ctx, msg, "userPrincipalName");
3435 : if (ret && (p = strchr_m(ret, '@'))) {
3436 : *p = 0;
3437 : return ret;
3438 : }
3439 : #endif
3440 0 : return ads_pull_string(ads, mem_ctx, msg, "sAMAccountName");
3441 : }
3442 :
3443 :
3444 : /**
3445 : * find the update serial number - this is the core of the ldap cache
3446 : * @param ads connection to ads server
3447 : * @param ads connection to ADS server
3448 : * @param usn Pointer to retrieved update serial number
3449 : * @return status of search
3450 : **/
3451 0 : ADS_STATUS ads_USN(ADS_STRUCT *ads, uint32_t *usn)
3452 : {
3453 0 : const char *attrs[] = {"highestCommittedUSN", NULL};
3454 : ADS_STATUS status;
3455 : LDAPMessage *res;
3456 :
3457 0 : status = ads_do_search_retry(ads, "", LDAP_SCOPE_BASE, "(objectclass=*)", attrs, &res);
3458 0 : if (!ADS_ERR_OK(status))
3459 0 : return status;
3460 :
3461 0 : if (ads_count_replies(ads, res) != 1) {
3462 0 : ads_msgfree(ads, res);
3463 0 : return ADS_ERROR(LDAP_NO_RESULTS_RETURNED);
3464 : }
3465 :
3466 0 : if (!ads_pull_uint32(ads, res, "highestCommittedUSN", usn)) {
3467 0 : ads_msgfree(ads, res);
3468 0 : return ADS_ERROR(LDAP_NO_SUCH_ATTRIBUTE);
3469 : }
3470 :
3471 0 : ads_msgfree(ads, res);
3472 0 : return ADS_SUCCESS;
3473 : }
3474 :
3475 : /* parse a ADS timestring - typical string is
3476 : '20020917091222.0Z0' which means 09:12.22 17th September
3477 : 2002, timezone 0 */
3478 95 : static time_t ads_parse_time(const char *str)
3479 : {
3480 : struct tm tm;
3481 :
3482 95 : ZERO_STRUCT(tm);
3483 :
3484 95 : if (sscanf(str, "%4d%2d%2d%2d%2d%2d",
3485 : &tm.tm_year, &tm.tm_mon, &tm.tm_mday,
3486 : &tm.tm_hour, &tm.tm_min, &tm.tm_sec) != 6) {
3487 0 : return 0;
3488 : }
3489 95 : tm.tm_year -= 1900;
3490 95 : tm.tm_mon -= 1;
3491 :
3492 95 : return timegm(&tm);
3493 : }
3494 :
3495 : /********************************************************************
3496 : ********************************************************************/
3497 :
3498 95 : ADS_STATUS ads_current_time(ADS_STRUCT *ads)
3499 : {
3500 95 : const char *attrs[] = {"currentTime", NULL};
3501 : ADS_STATUS status;
3502 : LDAPMessage *res;
3503 : char *timestr;
3504 95 : TALLOC_CTX *tmp_ctx = talloc_stackframe();
3505 95 : ADS_STRUCT *ads_s = ads;
3506 :
3507 : /* establish a new ldap tcp session if necessary */
3508 :
3509 95 : if ( !ads->ldap.ld ) {
3510 : /*
3511 : * ADS_STRUCT may be being reused after a
3512 : * DC lookup, so ads->ldap.ss may already have a
3513 : * good address. If not, re-initialize the passed-in
3514 : * ADS_STRUCT with the given server.XXXX parameters.
3515 : *
3516 : * Note that this doesn't depend on
3517 : * ads->server.ldap_server != NULL,
3518 : * as the case where ads->server.ldap_server==NULL and
3519 : * ads->ldap.ss != zero_address is precisely the DC
3520 : * lookup case where ads->ldap.ss was found by going
3521 : * through ads_find_dc() again we want to avoid repeating.
3522 : */
3523 3 : if (is_zero_addr(&ads->ldap.ss)) {
3524 0 : ads_s = ads_init(tmp_ctx,
3525 : ads->server.realm,
3526 : ads->server.workgroup,
3527 : ads->server.ldap_server,
3528 : ADS_SASL_PLAIN );
3529 0 : if (ads_s == NULL) {
3530 0 : status = ADS_ERROR(LDAP_NO_MEMORY);
3531 0 : goto done;
3532 : }
3533 : }
3534 :
3535 : /*
3536 : * Reset ads->config.flags as it can contain the flags
3537 : * returned by the previous CLDAP ping when reusing the struct.
3538 : */
3539 3 : ads_s->config.flags = 0;
3540 :
3541 3 : ads_s->auth.flags = ADS_AUTH_ANON_BIND;
3542 3 : status = ads_connect( ads_s );
3543 3 : if ( !ADS_ERR_OK(status))
3544 0 : goto done;
3545 : }
3546 :
3547 95 : status = ads_do_search(ads_s, "", LDAP_SCOPE_BASE, "(objectclass=*)", attrs, &res);
3548 95 : if (!ADS_ERR_OK(status)) {
3549 0 : goto done;
3550 : }
3551 :
3552 95 : timestr = ads_pull_string(ads_s, tmp_ctx, res, "currentTime");
3553 95 : if (!timestr) {
3554 0 : ads_msgfree(ads_s, res);
3555 0 : status = ADS_ERROR(LDAP_NO_RESULTS_RETURNED);
3556 0 : goto done;
3557 : }
3558 :
3559 : /* but save the time and offset in the original ADS_STRUCT */
3560 :
3561 95 : ads->config.current_time = ads_parse_time(timestr);
3562 :
3563 95 : if (ads->config.current_time != 0) {
3564 95 : ads->auth.time_offset = ads->config.current_time - time(NULL);
3565 95 : DEBUG(4,("KDC time offset is %d seconds\n", ads->auth.time_offset));
3566 : }
3567 :
3568 95 : ads_msgfree(ads, res);
3569 :
3570 95 : status = ADS_SUCCESS;
3571 :
3572 95 : done:
3573 95 : TALLOC_FREE(tmp_ctx);
3574 :
3575 95 : return status;
3576 : }
3577 :
3578 : /********************************************************************
3579 : ********************************************************************/
3580 :
3581 50 : ADS_STATUS ads_domain_func_level(ADS_STRUCT *ads, uint32_t *val)
3582 : {
3583 50 : TALLOC_CTX *tmp_ctx = talloc_stackframe();
3584 50 : const char *attrs[] = {"domainFunctionality", NULL};
3585 : ADS_STATUS status;
3586 : LDAPMessage *res;
3587 50 : ADS_STRUCT *ads_s = ads;
3588 :
3589 50 : *val = DS_DOMAIN_FUNCTION_2000;
3590 :
3591 : /* establish a new ldap tcp session if necessary */
3592 :
3593 50 : if ( !ads->ldap.ld ) {
3594 : /*
3595 : * ADS_STRUCT may be being reused after a
3596 : * DC lookup, so ads->ldap.ss may already have a
3597 : * good address. If not, re-initialize the passed-in
3598 : * ADS_STRUCT with the given server.XXXX parameters.
3599 : *
3600 : * Note that this doesn't depend on
3601 : * ads->server.ldap_server != NULL,
3602 : * as the case where ads->server.ldap_server==NULL and
3603 : * ads->ldap.ss != zero_address is precisely the DC
3604 : * lookup case where ads->ldap.ss was found by going
3605 : * through ads_find_dc() again we want to avoid repeating.
3606 : */
3607 0 : if (is_zero_addr(&ads->ldap.ss)) {
3608 0 : ads_s = ads_init(tmp_ctx,
3609 : ads->server.realm,
3610 : ads->server.workgroup,
3611 : ads->server.ldap_server,
3612 : ADS_SASL_PLAIN );
3613 0 : if (ads_s == NULL ) {
3614 0 : status = ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
3615 0 : goto done;
3616 : }
3617 : }
3618 :
3619 : /*
3620 : * Reset ads->config.flags as it can contain the flags
3621 : * returned by the previous CLDAP ping when reusing the struct.
3622 : */
3623 0 : ads_s->config.flags = 0;
3624 :
3625 0 : ads_s->auth.flags = ADS_AUTH_ANON_BIND;
3626 0 : status = ads_connect( ads_s );
3627 0 : if ( !ADS_ERR_OK(status))
3628 0 : goto done;
3629 : }
3630 :
3631 : /* If the attribute does not exist assume it is a Windows 2000
3632 : functional domain */
3633 :
3634 50 : status = ads_do_search(ads_s, "", LDAP_SCOPE_BASE, "(objectclass=*)", attrs, &res);
3635 50 : if (!ADS_ERR_OK(status)) {
3636 0 : if ( status.err.rc == LDAP_NO_SUCH_ATTRIBUTE ) {
3637 0 : status = ADS_SUCCESS;
3638 : }
3639 0 : goto done;
3640 : }
3641 :
3642 50 : if ( !ads_pull_uint32(ads_s, res, "domainFunctionality", val) ) {
3643 0 : DEBUG(5,("ads_domain_func_level: Failed to pull the domainFunctionality attribute.\n"));
3644 : }
3645 50 : DEBUG(3,("ads_domain_func_level: %d\n", *val));
3646 :
3647 :
3648 50 : ads_msgfree(ads_s, res);
3649 :
3650 50 : done:
3651 50 : TALLOC_FREE(tmp_ctx);
3652 :
3653 50 : return status;
3654 : }
3655 :
3656 : /**
3657 : * find the domain sid for our domain
3658 : * @param ads connection to ads server
3659 : * @param sid Pointer to domain sid
3660 : * @return status of search
3661 : **/
3662 0 : ADS_STATUS ads_domain_sid(ADS_STRUCT *ads, struct dom_sid *sid)
3663 : {
3664 0 : const char *attrs[] = {"objectSid", NULL};
3665 : LDAPMessage *res;
3666 : ADS_STATUS rc;
3667 :
3668 0 : rc = ads_do_search_retry(ads, ads->config.bind_path, LDAP_SCOPE_BASE, "(objectclass=*)",
3669 : attrs, &res);
3670 0 : if (!ADS_ERR_OK(rc)) return rc;
3671 0 : if (!ads_pull_sid(ads, res, "objectSid", sid)) {
3672 0 : ads_msgfree(ads, res);
3673 0 : return ADS_ERROR_SYSTEM(ENOENT);
3674 : }
3675 0 : ads_msgfree(ads, res);
3676 :
3677 0 : return ADS_SUCCESS;
3678 : }
3679 :
3680 : /**
3681 : * find our site name
3682 : * @param ads connection to ads server
3683 : * @param mem_ctx Pointer to talloc context
3684 : * @param site_name Pointer to the sitename
3685 : * @return status of search
3686 : **/
3687 0 : ADS_STATUS ads_site_dn(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, const char **site_name)
3688 : {
3689 : ADS_STATUS status;
3690 : LDAPMessage *res;
3691 : const char *dn, *service_name;
3692 0 : const char *attrs[] = { "dsServiceName", NULL };
3693 :
3694 0 : status = ads_do_search(ads, "", LDAP_SCOPE_BASE, "(objectclass=*)", attrs, &res);
3695 0 : if (!ADS_ERR_OK(status)) {
3696 0 : return status;
3697 : }
3698 :
3699 0 : service_name = ads_pull_string(ads, mem_ctx, res, "dsServiceName");
3700 0 : if (service_name == NULL) {
3701 0 : ads_msgfree(ads, res);
3702 0 : return ADS_ERROR(LDAP_NO_RESULTS_RETURNED);
3703 : }
3704 :
3705 0 : ads_msgfree(ads, res);
3706 :
3707 : /* go up three levels */
3708 0 : dn = ads_parent_dn(ads_parent_dn(ads_parent_dn(service_name)));
3709 0 : if (dn == NULL) {
3710 0 : return ADS_ERROR(LDAP_NO_MEMORY);
3711 : }
3712 :
3713 0 : *site_name = talloc_strdup(mem_ctx, dn);
3714 0 : if (*site_name == NULL) {
3715 0 : return ADS_ERROR(LDAP_NO_MEMORY);
3716 : }
3717 :
3718 0 : return status;
3719 : /*
3720 : dsServiceName: CN=NTDS Settings,CN=W2K3DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ber,DC=suse,DC=de
3721 : */
3722 : }
3723 :
3724 : /**
3725 : * find the site dn where a machine resides
3726 : * @param ads connection to ads server
3727 : * @param mem_ctx Pointer to talloc context
3728 : * @param computer_name name of the machine
3729 : * @param site_name Pointer to the sitename
3730 : * @return status of search
3731 : **/
3732 0 : ADS_STATUS ads_site_dn_for_machine(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, const char *computer_name, const char **site_dn)
3733 : {
3734 : ADS_STATUS status;
3735 : LDAPMessage *res;
3736 : const char *parent, *filter;
3737 0 : char *config_context = NULL;
3738 : char *dn;
3739 :
3740 : /* shortcut a query */
3741 0 : if (strequal(computer_name, ads->config.ldap_server_name)) {
3742 0 : return ads_site_dn(ads, mem_ctx, site_dn);
3743 : }
3744 :
3745 0 : status = ads_config_path(ads, mem_ctx, &config_context);
3746 0 : if (!ADS_ERR_OK(status)) {
3747 0 : return status;
3748 : }
3749 :
3750 0 : filter = talloc_asprintf(mem_ctx, "(cn=%s)", computer_name);
3751 0 : if (filter == NULL) {
3752 0 : return ADS_ERROR(LDAP_NO_MEMORY);
3753 : }
3754 :
3755 0 : status = ads_do_search(ads, config_context, LDAP_SCOPE_SUBTREE,
3756 : filter, NULL, &res);
3757 0 : if (!ADS_ERR_OK(status)) {
3758 0 : return status;
3759 : }
3760 :
3761 0 : if (ads_count_replies(ads, res) != 1) {
3762 0 : ads_msgfree(ads, res);
3763 0 : return ADS_ERROR(LDAP_NO_SUCH_OBJECT);
3764 : }
3765 :
3766 0 : dn = ads_get_dn(ads, mem_ctx, res);
3767 0 : if (dn == NULL) {
3768 0 : ads_msgfree(ads, res);
3769 0 : return ADS_ERROR(LDAP_NO_MEMORY);
3770 : }
3771 :
3772 : /* go up three levels */
3773 0 : parent = ads_parent_dn(ads_parent_dn(ads_parent_dn(dn)));
3774 0 : if (parent == NULL) {
3775 0 : ads_msgfree(ads, res);
3776 0 : TALLOC_FREE(dn);
3777 0 : return ADS_ERROR(LDAP_NO_MEMORY);
3778 : }
3779 :
3780 0 : *site_dn = talloc_strdup(mem_ctx, parent);
3781 0 : if (*site_dn == NULL) {
3782 0 : ads_msgfree(ads, res);
3783 0 : TALLOC_FREE(dn);
3784 0 : return ADS_ERROR(LDAP_NO_MEMORY);
3785 : }
3786 :
3787 0 : TALLOC_FREE(dn);
3788 0 : ads_msgfree(ads, res);
3789 :
3790 0 : return status;
3791 : }
3792 :
3793 : /**
3794 : * get the upn suffixes for a domain
3795 : * @param ads connection to ads server
3796 : * @param mem_ctx Pointer to talloc context
3797 : * @param suffixes Pointer to an array of suffixes
3798 : * @param num_suffixes Pointer to the number of suffixes
3799 : * @return status of search
3800 : **/
3801 0 : ADS_STATUS ads_upn_suffixes(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, char ***suffixes, size_t *num_suffixes)
3802 : {
3803 : ADS_STATUS status;
3804 : LDAPMessage *res;
3805 : const char *base;
3806 0 : char *config_context = NULL;
3807 0 : const char *attrs[] = { "uPNSuffixes", NULL };
3808 :
3809 0 : status = ads_config_path(ads, mem_ctx, &config_context);
3810 0 : if (!ADS_ERR_OK(status)) {
3811 0 : return status;
3812 : }
3813 :
3814 0 : base = talloc_asprintf(mem_ctx, "cn=Partitions,%s", config_context);
3815 0 : if (base == NULL) {
3816 0 : return ADS_ERROR(LDAP_NO_MEMORY);
3817 : }
3818 :
3819 0 : status = ads_search_dn(ads, &res, base, attrs);
3820 0 : if (!ADS_ERR_OK(status)) {
3821 0 : return status;
3822 : }
3823 :
3824 0 : if (ads_count_replies(ads, res) != 1) {
3825 0 : ads_msgfree(ads, res);
3826 0 : return ADS_ERROR(LDAP_NO_SUCH_OBJECT);
3827 : }
3828 :
3829 0 : (*suffixes) = ads_pull_strings(ads, mem_ctx, res, "uPNSuffixes", num_suffixes);
3830 0 : if ((*suffixes) == NULL) {
3831 0 : ads_msgfree(ads, res);
3832 0 : return ADS_ERROR(LDAP_NO_MEMORY);
3833 : }
3834 :
3835 0 : ads_msgfree(ads, res);
3836 :
3837 0 : return status;
3838 : }
3839 :
3840 : /**
3841 : * get the joinable ous for a domain
3842 : * @param ads connection to ads server
3843 : * @param mem_ctx Pointer to talloc context
3844 : * @param ous Pointer to an array of ous
3845 : * @param num_ous Pointer to the number of ous
3846 : * @return status of search
3847 : **/
3848 0 : ADS_STATUS ads_get_joinable_ous(ADS_STRUCT *ads,
3849 : TALLOC_CTX *mem_ctx,
3850 : char ***ous,
3851 : size_t *num_ous)
3852 : {
3853 : ADS_STATUS status;
3854 0 : LDAPMessage *res = NULL;
3855 0 : LDAPMessage *msg = NULL;
3856 0 : const char *attrs[] = { "dn", NULL };
3857 0 : int count = 0;
3858 :
3859 0 : status = ads_search(ads, &res,
3860 : "(|(objectClass=domain)(objectclass=organizationalUnit))",
3861 : attrs);
3862 0 : if (!ADS_ERR_OK(status)) {
3863 0 : return status;
3864 : }
3865 :
3866 0 : count = ads_count_replies(ads, res);
3867 0 : if (count < 1) {
3868 0 : ads_msgfree(ads, res);
3869 0 : return ADS_ERROR(LDAP_NO_RESULTS_RETURNED);
3870 : }
3871 :
3872 0 : for (msg = ads_first_entry(ads, res); msg;
3873 0 : msg = ads_next_entry(ads, msg)) {
3874 0 : const char **p = discard_const_p(const char *, *ous);
3875 0 : char *dn = NULL;
3876 :
3877 0 : dn = ads_get_dn(ads, talloc_tos(), msg);
3878 0 : if (!dn) {
3879 0 : ads_msgfree(ads, res);
3880 0 : return ADS_ERROR(LDAP_NO_MEMORY);
3881 : }
3882 :
3883 0 : if (!add_string_to_array(mem_ctx, dn, &p, num_ous)) {
3884 0 : TALLOC_FREE(dn);
3885 0 : ads_msgfree(ads, res);
3886 0 : return ADS_ERROR(LDAP_NO_MEMORY);
3887 : }
3888 :
3889 0 : TALLOC_FREE(dn);
3890 0 : *ous = discard_const_p(char *, p);
3891 : }
3892 :
3893 0 : ads_msgfree(ads, res);
3894 :
3895 0 : return status;
3896 : }
3897 :
3898 :
3899 : /**
3900 : * pull a struct dom_sid from an extended dn string
3901 : * @param mem_ctx TALLOC_CTX
3902 : * @param extended_dn string
3903 : * @param flags string type of extended_dn
3904 : * @param sid pointer to a struct dom_sid
3905 : * @return NT_STATUS_OK on success,
3906 : * NT_INVALID_PARAMETER on error,
3907 : * NT_STATUS_NOT_FOUND if no SID present
3908 : **/
3909 0 : ADS_STATUS ads_get_sid_from_extended_dn(TALLOC_CTX *mem_ctx,
3910 : const char *extended_dn,
3911 : enum ads_extended_dn_flags flags,
3912 : struct dom_sid *sid)
3913 : {
3914 : char *p, *q, *dn;
3915 :
3916 0 : if (!extended_dn) {
3917 0 : return ADS_ERROR_NT(NT_STATUS_INVALID_PARAMETER);
3918 : }
3919 :
3920 : /* otherwise extended_dn gets stripped off */
3921 0 : if ((dn = talloc_strdup(mem_ctx, extended_dn)) == NULL) {
3922 0 : return ADS_ERROR_NT(NT_STATUS_INVALID_PARAMETER);
3923 : }
3924 : /*
3925 : * ADS_EXTENDED_DN_HEX_STRING:
3926 : * <GUID=238e1963cb390f4bb032ba0105525a29>;<SID=010500000000000515000000bb68c8fd6b61b427572eb04556040000>;CN=gd,OU=berlin,OU=suse,DC=ber,DC=suse,DC=de
3927 : *
3928 : * ADS_EXTENDED_DN_STRING (only with w2k3):
3929 : * <GUID=63198e23-39cb-4b0f-b032-ba0105525a29>;<SID=S-1-5-21-4257769659-666132843-1169174103-1110>;CN=gd,OU=berlin,OU=suse,DC=ber,DC=suse,DC=de
3930 : *
3931 : * Object with no SID, such as an Exchange Public Folder
3932 : * <GUID=28907fb4bdf6854993e7f0a10b504e7c>;CN=public,CN=Microsoft Exchange System Objects,DC=sd2k3ms,DC=west,DC=isilon,DC=com
3933 : */
3934 :
3935 0 : p = strchr(dn, ';');
3936 0 : if (!p) {
3937 0 : return ADS_ERROR_NT(NT_STATUS_INVALID_PARAMETER);
3938 : }
3939 :
3940 0 : if (strncmp(p, ";<SID=", strlen(";<SID=")) != 0) {
3941 0 : DEBUG(5,("No SID present in extended dn\n"));
3942 0 : return ADS_ERROR_NT(NT_STATUS_NOT_FOUND);
3943 : }
3944 :
3945 0 : p += strlen(";<SID=");
3946 :
3947 0 : q = strchr(p, '>');
3948 0 : if (!q) {
3949 0 : return ADS_ERROR_NT(NT_STATUS_INVALID_PARAMETER);
3950 : }
3951 :
3952 0 : *q = '\0';
3953 :
3954 0 : DEBUG(100,("ads_get_sid_from_extended_dn: sid string is %s\n", p));
3955 :
3956 0 : switch (flags) {
3957 :
3958 0 : case ADS_EXTENDED_DN_STRING:
3959 0 : if (!string_to_sid(sid, p)) {
3960 0 : return ADS_ERROR_NT(NT_STATUS_INVALID_PARAMETER);
3961 : }
3962 0 : break;
3963 0 : case ADS_EXTENDED_DN_HEX_STRING: {
3964 : ssize_t ret;
3965 : fstring buf;
3966 : size_t buf_len;
3967 :
3968 0 : buf_len = strhex_to_str(buf, sizeof(buf), p, strlen(p));
3969 0 : if (buf_len == 0) {
3970 0 : return ADS_ERROR_NT(NT_STATUS_INVALID_PARAMETER);
3971 : }
3972 :
3973 0 : ret = sid_parse((const uint8_t *)buf, buf_len, sid);
3974 0 : if (ret == -1) {
3975 0 : DEBUG(10,("failed to parse sid\n"));
3976 0 : return ADS_ERROR_NT(NT_STATUS_INVALID_PARAMETER);
3977 : }
3978 0 : break;
3979 : }
3980 0 : default:
3981 0 : DEBUG(10,("unknown extended dn format\n"));
3982 0 : return ADS_ERROR_NT(NT_STATUS_INVALID_PARAMETER);
3983 : }
3984 :
3985 0 : return ADS_ERROR_NT(NT_STATUS_OK);
3986 : }
3987 :
3988 : /********************************************************************
3989 : ********************************************************************/
3990 :
3991 0 : char* ads_get_dnshostname( ADS_STRUCT *ads, TALLOC_CTX *ctx, const char *machine_name )
3992 : {
3993 0 : LDAPMessage *res = NULL;
3994 : ADS_STATUS status;
3995 0 : int count = 0;
3996 0 : char *name = NULL;
3997 :
3998 0 : status = ads_find_machine_acct(ads, &res, machine_name);
3999 0 : if (!ADS_ERR_OK(status)) {
4000 0 : DEBUG(0,("ads_get_dnshostname: Failed to find account for %s\n",
4001 : lp_netbios_name()));
4002 0 : goto out;
4003 : }
4004 :
4005 0 : if ( (count = ads_count_replies(ads, res)) != 1 ) {
4006 0 : DEBUG(1,("ads_get_dnshostname: %d entries returned!\n", count));
4007 0 : goto out;
4008 : }
4009 :
4010 0 : if ( (name = ads_pull_string(ads, ctx, res, "dNSHostName")) == NULL ) {
4011 0 : DEBUG(0,("ads_get_dnshostname: No dNSHostName attribute!\n"));
4012 : }
4013 :
4014 0 : out:
4015 0 : ads_msgfree(ads, res);
4016 :
4017 0 : return name;
4018 : }
4019 :
4020 : /********************************************************************
4021 : ********************************************************************/
4022 :
4023 0 : static char **get_addl_hosts(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx,
4024 : LDAPMessage *msg, size_t *num_values)
4025 : {
4026 0 : const char *field = "msDS-AdditionalDnsHostName";
4027 0 : struct berval **values = NULL;
4028 0 : char **ret = NULL;
4029 : size_t i, converted_size;
4030 :
4031 : /*
4032 : * Windows DC implicitly adds a short name for each FQDN added to
4033 : * msDS-AdditionalDnsHostName, but it comes with a strage binary
4034 : * suffix "\0$" which we should ignore (see bug #14406).
4035 : */
4036 :
4037 0 : values = ldap_get_values_len(ads->ldap.ld, msg, field);
4038 0 : if (values == NULL) {
4039 0 : return NULL;
4040 : }
4041 :
4042 0 : *num_values = ldap_count_values_len(values);
4043 :
4044 0 : ret = talloc_array(mem_ctx, char *, *num_values + 1);
4045 0 : if (ret == NULL) {
4046 0 : ldap_value_free_len(values);
4047 0 : return NULL;
4048 : }
4049 :
4050 0 : for (i = 0; i < *num_values; i++) {
4051 0 : ret[i] = NULL;
4052 0 : if (!convert_string_talloc(mem_ctx, CH_UTF8, CH_UNIX,
4053 0 : values[i]->bv_val,
4054 0 : strnlen(values[i]->bv_val,
4055 0 : values[i]->bv_len),
4056 0 : &ret[i], &converted_size)) {
4057 0 : ldap_value_free_len(values);
4058 0 : return NULL;
4059 : }
4060 : }
4061 0 : ret[i] = NULL;
4062 :
4063 0 : ldap_value_free_len(values);
4064 0 : return ret;
4065 : }
4066 :
4067 0 : ADS_STATUS ads_get_additional_dns_hostnames(TALLOC_CTX *mem_ctx,
4068 : ADS_STRUCT *ads,
4069 : const char *machine_name,
4070 : char ***hostnames_array,
4071 : size_t *num_hostnames)
4072 : {
4073 : ADS_STATUS status;
4074 0 : LDAPMessage *res = NULL;
4075 : int count;
4076 :
4077 0 : status = ads_find_machine_acct(ads,
4078 : &res,
4079 : machine_name);
4080 0 : if (!ADS_ERR_OK(status)) {
4081 0 : DEBUG(1,("Host Account for %s not found... skipping operation.\n",
4082 : machine_name));
4083 0 : return status;
4084 : }
4085 :
4086 0 : count = ads_count_replies(ads, res);
4087 0 : if (count != 1) {
4088 0 : status = ADS_ERROR(LDAP_NO_SUCH_OBJECT);
4089 0 : goto done;
4090 : }
4091 :
4092 0 : *hostnames_array = get_addl_hosts(ads, mem_ctx, res, num_hostnames);
4093 0 : if (*hostnames_array == NULL) {
4094 0 : DEBUG(1, ("Host account for %s does not have msDS-AdditionalDnsHostName.\n",
4095 : machine_name));
4096 0 : status = ADS_ERROR(LDAP_NO_SUCH_OBJECT);
4097 0 : goto done;
4098 : }
4099 :
4100 0 : done:
4101 0 : ads_msgfree(ads, res);
4102 :
4103 0 : return status;
4104 : }
4105 :
4106 : /********************************************************************
4107 : ********************************************************************/
4108 :
4109 2 : char* ads_get_upn( ADS_STRUCT *ads, TALLOC_CTX *ctx, const char *machine_name )
4110 : {
4111 2 : LDAPMessage *res = NULL;
4112 : ADS_STATUS status;
4113 2 : int count = 0;
4114 2 : char *name = NULL;
4115 :
4116 2 : status = ads_find_machine_acct(ads, &res, machine_name);
4117 2 : if (!ADS_ERR_OK(status)) {
4118 0 : DEBUG(0,("ads_get_upn: Failed to find account for %s\n",
4119 : lp_netbios_name()));
4120 0 : goto out;
4121 : }
4122 :
4123 2 : if ( (count = ads_count_replies(ads, res)) != 1 ) {
4124 0 : DEBUG(1,("ads_get_upn: %d entries returned!\n", count));
4125 0 : goto out;
4126 : }
4127 :
4128 2 : if ( (name = ads_pull_string(ads, ctx, res, "userPrincipalName")) == NULL ) {
4129 2 : DEBUG(2,("ads_get_upn: No userPrincipalName attribute!\n"));
4130 : }
4131 :
4132 0 : out:
4133 2 : ads_msgfree(ads, res);
4134 :
4135 2 : return name;
4136 : }
4137 :
4138 : /********************************************************************
4139 : ********************************************************************/
4140 :
4141 0 : bool ads_has_samaccountname( ADS_STRUCT *ads, TALLOC_CTX *ctx, const char *machine_name )
4142 : {
4143 0 : LDAPMessage *res = NULL;
4144 : ADS_STATUS status;
4145 0 : int count = 0;
4146 0 : char *name = NULL;
4147 0 : bool ok = false;
4148 :
4149 0 : status = ads_find_machine_acct(ads, &res, machine_name);
4150 0 : if (!ADS_ERR_OK(status)) {
4151 0 : DEBUG(0,("ads_has_samaccountname: Failed to find account for %s\n",
4152 : lp_netbios_name()));
4153 0 : goto out;
4154 : }
4155 :
4156 0 : if ( (count = ads_count_replies(ads, res)) != 1 ) {
4157 0 : DEBUG(1,("ads_has_samaccountname: %d entries returned!\n", count));
4158 0 : goto out;
4159 : }
4160 :
4161 0 : if ( (name = ads_pull_string(ads, ctx, res, "sAMAccountName")) == NULL ) {
4162 0 : DEBUG(0,("ads_has_samaccountname: No sAMAccountName attribute!\n"));
4163 : }
4164 :
4165 0 : out:
4166 0 : ads_msgfree(ads, res);
4167 0 : if (name != NULL) {
4168 0 : ok = (strlen(name) > 0);
4169 : }
4170 0 : TALLOC_FREE(name);
4171 0 : return ok;
4172 : }
4173 :
4174 : #if 0
4175 :
4176 : SAVED CODE - we used to join via ldap - remember how we did this. JRA.
4177 :
4178 : /**
4179 : * Join a machine to a realm
4180 : * Creates the machine account and sets the machine password
4181 : * @param ads connection to ads server
4182 : * @param machine name of host to add
4183 : * @param org_unit Organizational unit to place machine in
4184 : * @return status of join
4185 : **/
4186 : ADS_STATUS ads_join_realm(ADS_STRUCT *ads, const char *machine_name,
4187 : uint32_t account_type, const char *org_unit)
4188 : {
4189 : ADS_STATUS status;
4190 : LDAPMessage *res = NULL;
4191 : char *machine;
4192 :
4193 : /* machine name must be lowercase */
4194 : machine = SMB_STRDUP(machine_name);
4195 : strlower_m(machine);
4196 :
4197 : /*
4198 : status = ads_find_machine_acct(ads, (void **)&res, machine);
4199 : if (ADS_ERR_OK(status) && ads_count_replies(ads, res) == 1) {
4200 : DEBUG(0, ("Host account for %s already exists - deleting old account\n", machine));
4201 : status = ads_leave_realm(ads, machine);
4202 : if (!ADS_ERR_OK(status)) {
4203 : DEBUG(0, ("Failed to delete host '%s' from the '%s' realm.\n",
4204 : machine, ads->config.realm));
4205 : return status;
4206 : }
4207 : }
4208 : */
4209 : status = ads_add_machine_acct(ads, machine, account_type, org_unit);
4210 : if (!ADS_ERR_OK(status)) {
4211 : DEBUG(0, ("ads_join_realm: ads_add_machine_acct failed (%s): %s\n", machine, ads_errstr(status)));
4212 : SAFE_FREE(machine);
4213 : return status;
4214 : }
4215 :
4216 : status = ads_find_machine_acct(ads, (void **)(void *)&res, machine);
4217 : if (!ADS_ERR_OK(status)) {
4218 : DEBUG(0, ("ads_join_realm: Host account test failed for machine %s\n", machine));
4219 : SAFE_FREE(machine);
4220 : return status;
4221 : }
4222 :
4223 : SAFE_FREE(machine);
4224 : ads_msgfree(ads, res);
4225 :
4226 : return status;
4227 : }
4228 : #endif
4229 :
4230 : /**
4231 : * Delete a machine from the realm
4232 : * @param ads connection to ads server
4233 : * @param hostname Machine to remove
4234 : * @return status of delete
4235 : **/
4236 0 : ADS_STATUS ads_leave_realm(ADS_STRUCT *ads, const char *hostname)
4237 : {
4238 : ADS_STATUS status;
4239 : void *msg;
4240 : LDAPMessage *res;
4241 : char *hostnameDN, *host;
4242 : int rc;
4243 : LDAPControl ldap_control;
4244 0 : LDAPControl * pldap_control[2] = {NULL, NULL};
4245 :
4246 0 : pldap_control[0] = &ldap_control;
4247 0 : memset(&ldap_control, 0, sizeof(LDAPControl));
4248 0 : ldap_control.ldctl_oid = discard_const_p(char, LDAP_SERVER_TREE_DELETE_OID);
4249 :
4250 : /* hostname must be lowercase */
4251 0 : host = SMB_STRDUP(hostname);
4252 0 : if (!strlower_m(host)) {
4253 0 : SAFE_FREE(host);
4254 0 : return ADS_ERROR_SYSTEM(EINVAL);
4255 : }
4256 :
4257 0 : status = ads_find_machine_acct(ads, &res, host);
4258 0 : if (!ADS_ERR_OK(status)) {
4259 0 : DEBUG(0, ("Host account for %s does not exist.\n", host));
4260 0 : SAFE_FREE(host);
4261 0 : return status;
4262 : }
4263 :
4264 0 : msg = ads_first_entry(ads, res);
4265 0 : if (!msg) {
4266 0 : SAFE_FREE(host);
4267 0 : return ADS_ERROR_SYSTEM(ENOENT);
4268 : }
4269 :
4270 0 : hostnameDN = ads_get_dn(ads, talloc_tos(), (LDAPMessage *)msg);
4271 0 : if (hostnameDN == NULL) {
4272 0 : SAFE_FREE(host);
4273 0 : return ADS_ERROR_SYSTEM(ENOENT);
4274 : }
4275 :
4276 0 : rc = ldap_delete_ext_s(ads->ldap.ld, hostnameDN, pldap_control, NULL);
4277 0 : if (rc) {
4278 0 : DEBUG(3,("ldap_delete_ext_s failed with error code %d\n", rc));
4279 : }else {
4280 0 : DEBUG(3,("ldap_delete_ext_s succeeded with error code %d\n", rc));
4281 : }
4282 :
4283 0 : if (rc != LDAP_SUCCESS) {
4284 0 : const char *attrs[] = { "cn", NULL };
4285 : LDAPMessage *msg_sub;
4286 :
4287 : /* we only search with scope ONE, we do not expect any further
4288 : * objects to be created deeper */
4289 :
4290 0 : status = ads_do_search_retry(ads, hostnameDN,
4291 : LDAP_SCOPE_ONELEVEL,
4292 : "(objectclass=*)", attrs, &res);
4293 :
4294 0 : if (!ADS_ERR_OK(status)) {
4295 0 : SAFE_FREE(host);
4296 0 : TALLOC_FREE(hostnameDN);
4297 0 : return status;
4298 : }
4299 :
4300 0 : for (msg_sub = ads_first_entry(ads, res); msg_sub;
4301 0 : msg_sub = ads_next_entry(ads, msg_sub)) {
4302 :
4303 0 : char *dn = NULL;
4304 :
4305 0 : if ((dn = ads_get_dn(ads, talloc_tos(), msg_sub)) == NULL) {
4306 0 : SAFE_FREE(host);
4307 0 : TALLOC_FREE(hostnameDN);
4308 0 : return ADS_ERROR(LDAP_NO_MEMORY);
4309 : }
4310 :
4311 0 : status = ads_del_dn(ads, dn);
4312 0 : if (!ADS_ERR_OK(status)) {
4313 0 : DEBUG(3,("failed to delete dn %s: %s\n", dn, ads_errstr(status)));
4314 0 : SAFE_FREE(host);
4315 0 : TALLOC_FREE(dn);
4316 0 : TALLOC_FREE(hostnameDN);
4317 0 : return status;
4318 : }
4319 :
4320 0 : TALLOC_FREE(dn);
4321 : }
4322 :
4323 : /* there should be no subordinate objects anymore */
4324 0 : status = ads_do_search_retry(ads, hostnameDN,
4325 : LDAP_SCOPE_ONELEVEL,
4326 : "(objectclass=*)", attrs, &res);
4327 :
4328 0 : if (!ADS_ERR_OK(status) || ( (ads_count_replies(ads, res)) > 0 ) ) {
4329 0 : SAFE_FREE(host);
4330 0 : TALLOC_FREE(hostnameDN);
4331 0 : return status;
4332 : }
4333 :
4334 : /* delete hostnameDN now */
4335 0 : status = ads_del_dn(ads, hostnameDN);
4336 0 : if (!ADS_ERR_OK(status)) {
4337 0 : SAFE_FREE(host);
4338 0 : DEBUG(3,("failed to delete dn %s: %s\n", hostnameDN, ads_errstr(status)));
4339 0 : TALLOC_FREE(hostnameDN);
4340 0 : return status;
4341 : }
4342 : }
4343 :
4344 0 : TALLOC_FREE(hostnameDN);
4345 :
4346 0 : status = ads_find_machine_acct(ads, &res, host);
4347 0 : if ((status.error_type == ENUM_ADS_ERROR_LDAP) &&
4348 0 : (status.err.rc != LDAP_NO_SUCH_OBJECT)) {
4349 0 : DEBUG(3, ("Failed to remove host account.\n"));
4350 0 : SAFE_FREE(host);
4351 0 : return status;
4352 : }
4353 :
4354 0 : SAFE_FREE(host);
4355 0 : return ADS_SUCCESS;
4356 : }
4357 :
4358 : /**
4359 : * pull all token-sids from an LDAP dn
4360 : * @param ads connection to ads server
4361 : * @param mem_ctx TALLOC_CTX for allocating sid array
4362 : * @param dn of LDAP object
4363 : * @param user_sid pointer to struct dom_sid (objectSid)
4364 : * @param primary_group_sid pointer to struct dom_sid (self composed)
4365 : * @param sids pointer to sid array to allocate
4366 : * @param num_sids counter of SIDs pulled
4367 : * @return status of token query
4368 : **/
4369 0 : ADS_STATUS ads_get_tokensids(ADS_STRUCT *ads,
4370 : TALLOC_CTX *mem_ctx,
4371 : const char *dn,
4372 : struct dom_sid *user_sid,
4373 : struct dom_sid *primary_group_sid,
4374 : struct dom_sid **sids,
4375 : size_t *num_sids)
4376 : {
4377 : ADS_STATUS status;
4378 0 : LDAPMessage *res = NULL;
4379 0 : int count = 0;
4380 : size_t tmp_num_sids;
4381 : struct dom_sid *tmp_sids;
4382 : struct dom_sid tmp_user_sid;
4383 : struct dom_sid tmp_primary_group_sid;
4384 : uint32_t pgid;
4385 0 : const char *attrs[] = {
4386 : "objectSid",
4387 : "tokenGroups",
4388 : "primaryGroupID",
4389 : NULL
4390 : };
4391 :
4392 0 : status = ads_search_retry_dn(ads, &res, dn, attrs);
4393 0 : if (!ADS_ERR_OK(status)) {
4394 0 : return status;
4395 : }
4396 :
4397 0 : count = ads_count_replies(ads, res);
4398 0 : if (count != 1) {
4399 0 : ads_msgfree(ads, res);
4400 0 : return ADS_ERROR_LDAP(LDAP_NO_SUCH_OBJECT);
4401 : }
4402 :
4403 0 : if (!ads_pull_sid(ads, res, "objectSid", &tmp_user_sid)) {
4404 0 : ads_msgfree(ads, res);
4405 0 : return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
4406 : }
4407 :
4408 0 : if (!ads_pull_uint32(ads, res, "primaryGroupID", &pgid)) {
4409 0 : ads_msgfree(ads, res);
4410 0 : return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
4411 : }
4412 :
4413 : {
4414 : /* hack to compose the primary group sid without knowing the
4415 : * domsid */
4416 :
4417 : struct dom_sid domsid;
4418 :
4419 0 : sid_copy(&domsid, &tmp_user_sid);
4420 :
4421 0 : if (!sid_split_rid(&domsid, NULL)) {
4422 0 : ads_msgfree(ads, res);
4423 0 : return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
4424 : }
4425 :
4426 0 : if (!sid_compose(&tmp_primary_group_sid, &domsid, pgid)) {
4427 0 : ads_msgfree(ads, res);
4428 0 : return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
4429 : }
4430 : }
4431 :
4432 0 : tmp_num_sids = ads_pull_sids(ads, mem_ctx, res, "tokenGroups", &tmp_sids);
4433 :
4434 0 : if (tmp_num_sids == 0 || !tmp_sids) {
4435 0 : ads_msgfree(ads, res);
4436 0 : return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
4437 : }
4438 :
4439 0 : if (num_sids) {
4440 0 : *num_sids = tmp_num_sids;
4441 : }
4442 :
4443 0 : if (sids) {
4444 0 : *sids = tmp_sids;
4445 : }
4446 :
4447 0 : if (user_sid) {
4448 0 : *user_sid = tmp_user_sid;
4449 : }
4450 :
4451 0 : if (primary_group_sid) {
4452 0 : *primary_group_sid = tmp_primary_group_sid;
4453 : }
4454 :
4455 0 : DEBUG(10,("ads_get_tokensids: returned %d sids\n", (int)tmp_num_sids + 2));
4456 :
4457 0 : ads_msgfree(ads, res);
4458 0 : return ADS_ERROR_LDAP(LDAP_SUCCESS);
4459 : }
4460 :
4461 : /**
4462 : * Find a sAMAccoutName in LDAP
4463 : * @param ads connection to ads server
4464 : * @param mem_ctx TALLOC_CTX for allocating sid array
4465 : * @param samaccountname to search
4466 : * @param uac_ret uint32_t pointer userAccountControl attribute value
4467 : * @param dn_ret pointer to dn
4468 : * @return status of token query
4469 : **/
4470 0 : ADS_STATUS ads_find_samaccount(ADS_STRUCT *ads,
4471 : TALLOC_CTX *mem_ctx,
4472 : const char *samaccountname,
4473 : uint32_t *uac_ret,
4474 : const char **dn_ret)
4475 : {
4476 : ADS_STATUS status;
4477 0 : const char *attrs[] = { "userAccountControl", NULL };
4478 : const char *filter;
4479 0 : LDAPMessage *res = NULL;
4480 0 : char *dn = NULL;
4481 0 : uint32_t uac = 0;
4482 :
4483 0 : filter = talloc_asprintf(mem_ctx, "(&(objectclass=user)(sAMAccountName=%s))",
4484 : samaccountname);
4485 0 : if (filter == NULL) {
4486 0 : status = ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
4487 0 : goto out;
4488 : }
4489 :
4490 0 : status = ads_do_search_all(ads, ads->config.bind_path,
4491 : LDAP_SCOPE_SUBTREE,
4492 : filter, attrs, &res);
4493 :
4494 0 : if (!ADS_ERR_OK(status)) {
4495 0 : goto out;
4496 : }
4497 :
4498 0 : if (ads_count_replies(ads, res) != 1) {
4499 0 : status = ADS_ERROR(LDAP_NO_RESULTS_RETURNED);
4500 0 : goto out;
4501 : }
4502 :
4503 0 : dn = ads_get_dn(ads, talloc_tos(), res);
4504 0 : if (dn == NULL) {
4505 0 : status = ADS_ERROR(LDAP_NO_MEMORY);
4506 0 : goto out;
4507 : }
4508 :
4509 0 : if (!ads_pull_uint32(ads, res, "userAccountControl", &uac)) {
4510 0 : status = ADS_ERROR(LDAP_NO_SUCH_ATTRIBUTE);
4511 0 : goto out;
4512 : }
4513 :
4514 0 : if (uac_ret) {
4515 0 : *uac_ret = uac;
4516 : }
4517 :
4518 0 : if (dn_ret) {
4519 0 : *dn_ret = talloc_strdup(mem_ctx, dn);
4520 0 : if (!*dn_ret) {
4521 0 : status = ADS_ERROR(LDAP_NO_MEMORY);
4522 0 : goto out;
4523 : }
4524 : }
4525 0 : out:
4526 0 : TALLOC_FREE(dn);
4527 0 : ads_msgfree(ads, res);
4528 :
4529 0 : return status;
4530 : }
4531 :
4532 : /**
4533 : * find our configuration path
4534 : * @param ads connection to ads server
4535 : * @param mem_ctx Pointer to talloc context
4536 : * @param config_path Pointer to the config path
4537 : * @return status of search
4538 : **/
4539 0 : ADS_STATUS ads_config_path(ADS_STRUCT *ads,
4540 : TALLOC_CTX *mem_ctx,
4541 : char **config_path)
4542 : {
4543 : ADS_STATUS status;
4544 0 : LDAPMessage *res = NULL;
4545 0 : const char *config_context = NULL;
4546 0 : const char *attrs[] = { "configurationNamingContext", NULL };
4547 :
4548 0 : status = ads_do_search(ads, "", LDAP_SCOPE_BASE,
4549 : "(objectclass=*)", attrs, &res);
4550 0 : if (!ADS_ERR_OK(status)) {
4551 0 : return status;
4552 : }
4553 :
4554 0 : config_context = ads_pull_string(ads, mem_ctx, res,
4555 : "configurationNamingContext");
4556 0 : ads_msgfree(ads, res);
4557 0 : if (!config_context) {
4558 0 : return ADS_ERROR(LDAP_NO_MEMORY);
4559 : }
4560 :
4561 0 : if (config_path) {
4562 0 : *config_path = talloc_strdup(mem_ctx, config_context);
4563 0 : if (!*config_path) {
4564 0 : return ADS_ERROR(LDAP_NO_MEMORY);
4565 : }
4566 : }
4567 :
4568 0 : return ADS_ERROR(LDAP_SUCCESS);
4569 : }
4570 :
4571 : /**
4572 : * find the displayName of an extended right
4573 : * @param ads connection to ads server
4574 : * @param config_path The config path
4575 : * @param mem_ctx Pointer to talloc context
4576 : * @param GUID struct of the rightsGUID
4577 : * @return status of search
4578 : **/
4579 0 : const char *ads_get_extended_right_name_by_guid(ADS_STRUCT *ads,
4580 : const char *config_path,
4581 : TALLOC_CTX *mem_ctx,
4582 : const struct GUID *rights_guid)
4583 : {
4584 : ADS_STATUS rc;
4585 0 : LDAPMessage *res = NULL;
4586 0 : char *expr = NULL;
4587 0 : const char *attrs[] = { "displayName", NULL };
4588 0 : const char *result = NULL;
4589 : const char *path;
4590 :
4591 0 : if (!ads || !mem_ctx || !rights_guid) {
4592 0 : goto done;
4593 : }
4594 :
4595 0 : expr = talloc_asprintf(mem_ctx, "(rightsGuid=%s)",
4596 : GUID_string(mem_ctx, rights_guid));
4597 0 : if (!expr) {
4598 0 : goto done;
4599 : }
4600 :
4601 0 : path = talloc_asprintf(mem_ctx, "cn=Extended-Rights,%s", config_path);
4602 0 : if (!path) {
4603 0 : goto done;
4604 : }
4605 :
4606 0 : rc = ads_do_search_retry(ads, path, LDAP_SCOPE_SUBTREE,
4607 : expr, attrs, &res);
4608 0 : if (!ADS_ERR_OK(rc)) {
4609 0 : goto done;
4610 : }
4611 :
4612 0 : if (ads_count_replies(ads, res) != 1) {
4613 0 : goto done;
4614 : }
4615 :
4616 0 : result = ads_pull_string(ads, mem_ctx, res, "displayName");
4617 :
4618 0 : done:
4619 0 : ads_msgfree(ads, res);
4620 0 : return result;
4621 : }
4622 :
4623 : /**
4624 : * verify or build and verify an account ou
4625 : * @param mem_ctx Pointer to talloc context
4626 : * @param ads connection to ads server
4627 : * @param account_ou
4628 : * @return status of search
4629 : **/
4630 :
4631 26 : ADS_STATUS ads_check_ou_dn(TALLOC_CTX *mem_ctx,
4632 : ADS_STRUCT *ads,
4633 : const char **account_ou)
4634 : {
4635 : char **exploded_dn;
4636 : const char *name;
4637 : char *ou_string;
4638 :
4639 26 : if (account_ou == NULL) {
4640 0 : return ADS_ERROR_NT(NT_STATUS_INVALID_PARAMETER);
4641 : }
4642 :
4643 26 : if (*account_ou != NULL) {
4644 0 : exploded_dn = ldap_explode_dn(*account_ou, 0);
4645 0 : if (exploded_dn) {
4646 0 : ldap_value_free(exploded_dn);
4647 0 : return ADS_SUCCESS;
4648 : }
4649 : }
4650 :
4651 26 : ou_string = ads_ou_string(ads, *account_ou);
4652 26 : if (!ou_string) {
4653 0 : return ADS_ERROR_LDAP(LDAP_INVALID_DN_SYNTAX);
4654 : }
4655 :
4656 26 : name = talloc_asprintf(mem_ctx, "%s,%s", ou_string,
4657 : ads->config.bind_path);
4658 26 : SAFE_FREE(ou_string);
4659 :
4660 26 : if (!name) {
4661 0 : return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
4662 : }
4663 :
4664 26 : exploded_dn = ldap_explode_dn(name, 0);
4665 26 : if (!exploded_dn) {
4666 0 : return ADS_ERROR_LDAP(LDAP_INVALID_DN_SYNTAX);
4667 : }
4668 26 : ldap_value_free(exploded_dn);
4669 :
4670 26 : *account_ou = name;
4671 26 : return ADS_SUCCESS;
4672 : }
4673 :
4674 : #endif
|