search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
vfs_glusterfs: In vfs_gluster_sys_acl_get_file/fd, reduce the number of getxattr...
[Samba.git] / source3 / libads / ldap.c
blobb9adc9d9184428d4dd330671c25a45df18821b62
1 /*
2 Unix SMB/CIFS implementation.
3 ads (active directory) utility library
4 Copyright (C) Andrew Tridgell 2001
5 Copyright (C) Remus Koos 2001
6 Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2002
7 Copyright (C) Guenther Deschner 2005
8 Copyright (C) Gerald Carter 2006
9
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 3 of the License, or
13 (at your option) any later version.
14
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
19
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
22 */
23
24 #include "includes.h"
25 #include "ads.h"
26 #include "libads/sitename_cache.h"
27 #include "libads/cldap.h"
28 #include "../lib/addns/dnsquery.h"
29 #include "../libds/common/flags.h"
30 #include "smbldap.h"
31 #include "../libcli/security/security.h"
32 #include "lib/param/loadparm.h"
33
34 #ifdef HAVE_LDAP
35
36 /**
37 * @file ldap.c
38 * @brief basic ldap client-side routines for ads server communications
39 *
40 * The routines contained here should do the necessary ldap calls for
41 * ads setups.
42 *
43 * Important note: attribute names passed into ads_ routines must
44 * already be in UTF-8 format. We do not convert them because in almost
45 * all cases, they are just ascii (which is represented with the same
46 * codepoints in UTF-8). This may have to change at some point
47 **/
48
49
50 #define LDAP_SERVER_TREE_DELETE_OID "1.2.840.113556.1.4.805"
51
52 static SIG_ATOMIC_T gotalarm;
53
54 /***************************************************************
55 Signal function to tell us we timed out.
56 ****************************************************************/
57
58 static void gotalarm_sig(int signum)
59 {
60 gotalarm = 1;
61 }
62
63 LDAP *ldap_open_with_timeout(const char *server,
64 struct sockaddr_storage *ss,
65 int port, unsigned int to)
66 {
67 LDAP *ldp = NULL;
68
69 DEBUG(10, ("Opening connection to LDAP server '%s:%d', timeout "
70 "%u seconds\n", server, port, to));
71
72 #if defined(HAVE_LDAP_INIT_FD) && defined(SOCKET_WRAPPER)
73 /* Only use this private LDAP function if we are in make test,
74 * as this is the best way to get the emulated TCP socket into
75 * OpenLDAP */
76 if (socket_wrapper_dir() != NULL) {
77 int fd, ldap_err;
78 NTSTATUS status;
79 char *uri;
80
81 status = open_socket_out(ss, port, to, &fd);
82
83 if (!NT_STATUS_IS_OK(status)) {
84 return NULL;
85 }
86
87 #ifndef LDAP_PROTO_TCP
88 #define LDAP_PROTO_TCP 1
89 #endif
90 uri = talloc_asprintf(talloc_tos(), "ldap://%s:%u", server, port);
91 if (uri == NULL) {
92 return NULL;
93 }
94 ldap_err = ldap_init_fd(fd, LDAP_PROTO_TCP, uri, &ldp);
95 talloc_free(uri);
96
97 if (ldap_err != LDAP_SUCCESS) {
98 return NULL;
99 }
100 return ldp;
101 }
102 #endif
103
104 if (to) {
105 /* Setup timeout */
106 gotalarm = 0;
107 CatchSignal(SIGALRM, gotalarm_sig);
108 alarm(to);
109 /* End setup timeout. */
110 }
111
112 ldp = ldap_open(server, port);
113
114 if (ldp == NULL) {
115 DEBUG(2,("Could not open connection to LDAP server %s:%d: %s\n",
116 server, port, strerror(errno)));
117 } else {
118 DEBUG(10, ("Connected to LDAP server '%s:%d'\n", server, port));
119 }
120
121 if (to) {
122 /* Teardown timeout. */
123 alarm(0);
124 CatchSignal(SIGALRM, SIG_IGN);
125 }
126
127 return ldp;
128 }
129
130 static int ldap_search_with_timeout(LDAP *ld,
131 LDAP_CONST char *base,
132 int scope,
133 LDAP_CONST char *filter,
134 char **attrs,
135 int attrsonly,
136 LDAPControl **sctrls,
137 LDAPControl **cctrls,
138 int sizelimit,
139 LDAPMessage **res )
140 {
141 int to = lp_ldap_timeout();
142 struct timeval timeout;
143 struct timeval *timeout_ptr = NULL;
144 int result;
145
146 /* Setup timeout for the ldap_search_ext_s call - local and remote. */
147 gotalarm = 0;
148
149 if (to) {
150 timeout.tv_sec = to;
151 timeout.tv_usec = 0;
152 timeout_ptr = &timeout;
153
154 /* Setup alarm timeout. */
155 CatchSignal(SIGALRM, gotalarm_sig);
156 /* Make the alarm time one second beyond
157 the timout we're setting for the
158 remote search timeout, to allow that
159 to fire in preference. */
160 alarm(to+1);
161 /* End setup timeout. */
162 }
163
164
165 result = ldap_search_ext_s(ld, base, scope, filter, attrs,
166 attrsonly, sctrls, cctrls, timeout_ptr,
167 sizelimit, res);
168
169 if (to) {
170 /* Teardown alarm timeout. */
171 CatchSignal(SIGALRM, SIG_IGN);
172 alarm(0);
173 }
174
175 if (gotalarm != 0)
176 return LDAP_TIMELIMIT_EXCEEDED;
177
178 /*
179 * A bug in OpenLDAP means ldap_search_ext_s can return
180 * LDAP_SUCCESS but with a NULL res pointer. Cope with
181 * this. See bug #6279 for details. JRA.
182 */
183
184 if (*res == NULL) {
185 return LDAP_TIMELIMIT_EXCEEDED;
186 }
187
188 return result;
189 }
190
191 /**********************************************
192 Do client and server sitename match ?
193 **********************************************/
194
195 bool ads_sitename_match(ADS_STRUCT *ads)
196 {
197 if (ads->config.server_site_name == NULL &&
198 ads->config.client_site_name == NULL ) {
199 DEBUG(10,("ads_sitename_match: both null\n"));
200 return True;
201 }
202 if (ads->config.server_site_name &&
203 ads->config.client_site_name &&
204 strequal(ads->config.server_site_name,
205 ads->config.client_site_name)) {
206 DEBUG(10,("ads_sitename_match: name %s match\n", ads->config.server_site_name));
207 return True;
208 }
209 DEBUG(10,("ads_sitename_match: no match between server: %s and client: %s\n",
210 ads->config.server_site_name ? ads->config.server_site_name : "NULL",
211 ads->config.client_site_name ? ads->config.client_site_name : "NULL"));
212 return False;
213 }
214
215 /**********************************************
216 Is this the closest DC ?
217 **********************************************/
218
219 bool ads_closest_dc(ADS_STRUCT *ads)
220 {
221 if (ads->config.flags & NBT_SERVER_CLOSEST) {
222 DEBUG(10,("ads_closest_dc: NBT_SERVER_CLOSEST flag set\n"));
223 return True;
224 }
225
226 /* not sure if this can ever happen */
227 if (ads_sitename_match(ads)) {
228 DEBUG(10,("ads_closest_dc: NBT_SERVER_CLOSEST flag not set but sites match\n"));
229 return True;
230 }
231
232 if (ads->config.client_site_name == NULL) {
233 DEBUG(10,("ads_closest_dc: client belongs to no site\n"));
234 return True;
235 }
236
237 DEBUG(10,("ads_closest_dc: %s is not the closest DC\n",
238 ads->config.ldap_server_name));
239
240 return False;
241 }
242
243
244 /*
245 try a connection to a given ldap server, returning True and setting the servers IP
246 in the ads struct if successful
247 */
248 static bool ads_try_connect(ADS_STRUCT *ads, const char *server, bool gc)
249 {
250 struct NETLOGON_SAM_LOGON_RESPONSE_EX cldap_reply;
251 TALLOC_CTX *frame = talloc_stackframe();
252 bool ret = false;
253 struct sockaddr_storage ss;
254 char addr[INET6_ADDRSTRLEN];
255
256 if (!server || !*server) {
257 TALLOC_FREE(frame);
258 return False;
259 }
260
261 if (!resolve_name(server, &ss, 0x20, true)) {
262 DEBUG(5,("ads_try_connect: unable to resolve name %s\n",
263 server ));
264 TALLOC_FREE(frame);
265 return false;
266 }
267 print_sockaddr(addr, sizeof(addr), &ss);
268
269 DEBUG(5,("ads_try_connect: sending CLDAP request to %s (realm: %s)\n",
270 addr, ads->server.realm));
271
272 ZERO_STRUCT( cldap_reply );
273
274 if ( !ads_cldap_netlogon_5(frame, &ss, ads->server.realm, &cldap_reply ) ) {
275 DEBUG(3,("ads_try_connect: CLDAP request %s failed.\n", addr));
276 ret = false;
277 goto out;
278 }
279
280 /* Check the CLDAP reply flags */
281
282 if ( !(cldap_reply.server_type & NBT_SERVER_LDAP) ) {
283 DEBUG(1,("ads_try_connect: %s's CLDAP reply says it is not an LDAP server!\n",
284 addr));
285 ret = false;
286 goto out;
287 }
288
289 /* Fill in the ads->config values */
290
291 SAFE_FREE(ads->config.realm);
292 SAFE_FREE(ads->config.bind_path);
293 SAFE_FREE(ads->config.ldap_server_name);
294 SAFE_FREE(ads->config.server_site_name);
295 SAFE_FREE(ads->config.client_site_name);
296 SAFE_FREE(ads->server.workgroup);
297
298 ads->config.flags = cldap_reply.server_type;
299 ads->config.ldap_server_name = SMB_STRDUP(cldap_reply.pdc_dns_name);
300 ads->config.realm = SMB_STRDUP(cldap_reply.dns_domain);
301 if (!strupper_m(ads->config.realm)) {
302 ret = false;
303 goto out;
304 }
305
306 ads->config.bind_path = ads_build_dn(ads->config.realm);
307 if (*cldap_reply.server_site) {
308 ads->config.server_site_name =
309 SMB_STRDUP(cldap_reply.server_site);
310 }
311 if (*cldap_reply.client_site) {
312 ads->config.client_site_name =
313 SMB_STRDUP(cldap_reply.client_site);
314 }
315 ads->server.workgroup = SMB_STRDUP(cldap_reply.domain_name);
316
317 ads->ldap.port = gc ? LDAP_GC_PORT : LDAP_PORT;
318 ads->ldap.ss = ss;
319
320 /* Store our site name. */
321 sitename_store( cldap_reply.domain_name, cldap_reply.client_site);
322 sitename_store( cldap_reply.dns_domain, cldap_reply.client_site);
323
324 ret = true;
325
326 out:
327
328 TALLOC_FREE(frame);
329 return ret;
330 }
331
332 /**********************************************************************
333 Try to find an AD dc using our internal name resolution routines
334 Try the realm first and then then workgroup name if netbios is not
335 disabled
336 **********************************************************************/
337
338 static NTSTATUS ads_find_dc(ADS_STRUCT *ads)
339 {
340 const char *c_domain;
341 const char *c_realm;
342 int count, i=0;
343 struct ip_service *ip_list;
344 const char *realm;
345 const char *domain;
346 bool got_realm = False;
347 bool use_own_domain = False;
348 char *sitename;
349 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
350
351 /* if the realm and workgroup are both empty, assume they are ours */
352
353 /* realm */
354 c_realm = ads->server.realm;
355
356 if ( !c_realm || !*c_realm ) {
357 /* special case where no realm and no workgroup means our own */
358 if ( !ads->server.workgroup || !*ads->server.workgroup ) {
359 use_own_domain = True;
360 c_realm = lp_realm();
361 }
362 }
363
364 if (c_realm && *c_realm)
365 got_realm = True;
366
367 /* we need to try once with the realm name and fallback to the
368 netbios domain name if we fail (if netbios has not been disabled */
369
370 if ( !got_realm && !lp_disable_netbios() ) {
371 c_realm = ads->server.workgroup;
372 if (!c_realm || !*c_realm) {
373 if ( use_own_domain )
374 c_realm = lp_workgroup();
375 }
376 }
377
378 if ( !c_realm || !*c_realm ) {
379 DEBUG(1, ("ads_find_dc: no realm or workgroup! Don't know "
380 "what to do\n"));
381 return NT_STATUS_INVALID_PARAMETER; /* rather need MISSING_PARAMETER ... */
382 }
383
384 if ( use_own_domain ) {
385 c_domain = lp_workgroup();
386 } else {
387 c_domain = ads->server.workgroup;
388 }
389
390 realm = c_realm;
391 domain = c_domain;
392
393 /*
394 * In case of LDAP we use get_dc_name() as that
395 * creates the custom krb5.conf file
396 */
397 if (!(ads->auth.flags & ADS_AUTH_NO_BIND)) {
398 fstring srv_name;
399 struct sockaddr_storage ip_out;
400
401 DEBUG(6,("ads_find_dc: (ldap) looking for %s '%s'\n",
402 (got_realm ? "realm" : "domain"), realm));
403
404 if (get_dc_name(domain, realm, srv_name, &ip_out)) {
405 /*
406 * we call ads_try_connect() to fill in the
407 * ads->config details
408 */
409 if (ads_try_connect(ads, srv_name, false)) {
410 return NT_STATUS_OK;
411 }
412 }
413
414 return NT_STATUS_NO_LOGON_SERVERS;
415 }
416
417 sitename = sitename_fetch(realm);
418
419 again:
420
421 DEBUG(6,("ads_find_dc: (cldap) looking for %s '%s'\n",
422 (got_realm ? "realm" : "domain"), realm));
423
424 status = get_sorted_dc_list(realm, sitename, &ip_list, &count, got_realm);
425 if (!NT_STATUS_IS_OK(status)) {
426 /* fall back to netbios if we can */
427 if ( got_realm && !lp_disable_netbios() ) {
428 got_realm = False;
429 goto again;
430 }
431
432 SAFE_FREE(sitename);
433 return status;
434 }
435
436 /* if we fail this loop, then giveup since all the IP addresses returned were dead */
437 for ( i=0; i<count; i++ ) {
438 char server[INET6_ADDRSTRLEN];
439
440 print_sockaddr(server, sizeof(server), &ip_list[i].ss);
441
442 if ( !NT_STATUS_IS_OK(check_negative_conn_cache(realm, server)) )
443 continue;
444
445 if (!got_realm) {
446 /* realm in this case is a workgroup name. We need
447 to ignore any IP addresses in the negative connection
448 cache that match ip addresses returned in the ad realm
449 case. It sucks that I have to reproduce the logic above... */
450 c_realm = ads->server.realm;
451 if ( !c_realm || !*c_realm ) {
452 if ( !ads->server.workgroup || !*ads->server.workgroup ) {
453 c_realm = lp_realm();
454 }
455 }
456 if (c_realm && *c_realm &&
457 !NT_STATUS_IS_OK(check_negative_conn_cache(c_realm, server))) {
458 /* Ensure we add the workgroup name for this
459 IP address as negative too. */
460 add_failed_connection_entry( realm, server, NT_STATUS_UNSUCCESSFUL );
461 continue;
462 }
463 }
464
465 if ( ads_try_connect(ads, server, false) ) {
466 SAFE_FREE(ip_list);
467 SAFE_FREE(sitename);
468 return NT_STATUS_OK;
469 }
470
471 /* keep track of failures */
472 add_failed_connection_entry( realm, server, NT_STATUS_UNSUCCESSFUL );
473 }
474
475 SAFE_FREE(ip_list);
476
477 /* In case we failed to contact one of our closest DC on our site we
478 * need to try to find another DC, retry with a site-less SRV DNS query
479 * - Guenther */
480
481 if (sitename) {
482 DEBUG(1,("ads_find_dc: failed to find a valid DC on our site (%s), "
483 "trying to find another DC\n", sitename));
484 SAFE_FREE(sitename);
485 namecache_delete(realm, 0x1C);
486 goto again;
487 }
488
489 return NT_STATUS_NO_LOGON_SERVERS;
490 }
491
492 /*********************************************************************
493 *********************************************************************/
494
495 static NTSTATUS ads_lookup_site(void)
496 {
497 ADS_STRUCT *ads = NULL;
498 ADS_STATUS ads_status;
499 NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL;
500
501 ads = ads_init(lp_realm(), NULL, NULL);
502 if (!ads) {
503 return NT_STATUS_NO_MEMORY;
504 }
505
506 /* The NO_BIND here will find a DC and set the client site
507 but not establish the TCP connection */
508
509 ads->auth.flags = ADS_AUTH_NO_BIND;
510 ads_status = ads_connect(ads);
511 if (!ADS_ERR_OK(ads_status)) {
512 DEBUG(4, ("ads_lookup_site: ads_connect to our realm failed! (%s)\n",
513 ads_errstr(ads_status)));
514 }
515 nt_status = ads_ntstatus(ads_status);
516
517 if (ads) {
518 ads_destroy(&ads);
519 }
520
521 return nt_status;
522 }
523
524 /*********************************************************************
525 *********************************************************************/
526
527 static const char* host_dns_domain(const char *fqdn)
528 {
529 const char *p = fqdn;
530
531 /* go to next char following '.' */
532
533 if ((p = strchr_m(fqdn, '.')) != NULL) {
534 p++;
535 }
536
537 return p;
538 }
539
540
541 /**
542 * Connect to the Global Catalog server
543 * @param ads Pointer to an existing ADS_STRUCT
544 * @return status of connection
545 *
546 * Simple wrapper around ads_connect() that fills in the
547 * GC ldap server information
548 **/
549
550 ADS_STATUS ads_connect_gc(ADS_STRUCT *ads)
551 {
552 TALLOC_CTX *frame = talloc_stackframe();
553 struct dns_rr_srv *gcs_list;
554 int num_gcs;
555 const char *realm = ads->server.realm;
556 NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL;
557 ADS_STATUS ads_status = ADS_ERROR_NT(NT_STATUS_UNSUCCESSFUL);
558 int i;
559 bool done = false;
560 char *sitename = NULL;
561 const char *dns_hosts_file;
562
563 if (!realm)
564 realm = lp_realm();
565
566 if ((sitename = sitename_fetch(realm)) == NULL) {
567 ads_lookup_site();
568 sitename = sitename_fetch(realm);
569 }
570
571 dns_hosts_file = lp_parm_const_string(-1, "resolv", "host file", NULL);
572 do {
573 /* We try once with a sitename and once without
574 (unless we don't have a sitename and then we're
575 done */
576
577 if (sitename == NULL)
578 done = true;
579
580 nt_status = ads_dns_query_gcs(frame, dns_hosts_file,
581 realm, sitename,
582 &gcs_list, &num_gcs);
583
584 SAFE_FREE(sitename);
585
586 if (!NT_STATUS_IS_OK(nt_status)) {
587 ads_status = ADS_ERROR_NT(nt_status);
588 goto done;
589 }
590
591 /* Loop until we get a successful connection or have gone
592 through them all. When connecting a GC server, make sure that
593 the realm is the server's DNS name and not the forest root */
594
595 for (i=0; i<num_gcs; i++) {
596 ads->server.gc = true;
597 ads->server.ldap_server = SMB_STRDUP(gcs_list[i].hostname);
598 ads->server.realm = SMB_STRDUP(host_dns_domain(ads->server.ldap_server));
599 ads_status = ads_connect(ads);
600 if (ADS_ERR_OK(ads_status)) {
601 /* Reset the bind_dn to "". A Global Catalog server
602 may host multiple domain trees in a forest.
603 Windows 2003 GC server will accept "" as the search
604 path to imply search all domain trees in the forest */
605
606 SAFE_FREE(ads->config.bind_path);
607 ads->config.bind_path = SMB_STRDUP("");
608
609
610 goto done;
611 }
612 SAFE_FREE(ads->server.ldap_server);
613 SAFE_FREE(ads->server.realm);
614 }
615
616 TALLOC_FREE(gcs_list);
617 num_gcs = 0;
618 } while (!done);
619
620 done:
621 SAFE_FREE(sitename);
622 talloc_destroy(frame);
623
624 return ads_status;
625 }
626
627
628 /**
629 * Connect to the LDAP server
630 * @param ads Pointer to an existing ADS_STRUCT
631 * @return status of connection
632 **/
633 ADS_STATUS ads_connect(ADS_STRUCT *ads)
634 {
635 int version = LDAP_VERSION3;
636 ADS_STATUS status;
637 NTSTATUS ntstatus;
638 char addr[INET6_ADDRSTRLEN];
639
640 ZERO_STRUCT(ads->ldap);
641 ads->ldap.last_attempt = time_mono(NULL);
642 ads->ldap.wrap_type = ADS_SASLWRAP_TYPE_PLAIN;
643
644 /* try with a user specified server */
645
646 if (DEBUGLEVEL >= 11) {
647 char *s = NDR_PRINT_STRUCT_STRING(talloc_tos(), ads_struct, ads);
648 DEBUG(11,("ads_connect: entering\n"));
649 DEBUGADD(11,("%s\n", s));
650 TALLOC_FREE(s);
651 }
652
653 if (ads->server.ldap_server)
654 {
655 if (ads_try_connect(ads, ads->server.ldap_server, ads->server.gc)) {
656 goto got_connection;
657 }
658
659 /* The choice of which GC use is handled one level up in
660 ads_connect_gc(). If we continue on from here with
661 ads_find_dc() we will get GC searches on port 389 which
662 doesn't work. --jerry */
663
664 if (ads->server.gc == true) {
665 return ADS_ERROR(LDAP_OPERATIONS_ERROR);
666 }
667 }
668
669 ntstatus = ads_find_dc(ads);
670 if (NT_STATUS_IS_OK(ntstatus)) {
671 goto got_connection;
672 }
673
674 status = ADS_ERROR_NT(ntstatus);
675 goto out;
676
677 got_connection:
678
679 print_sockaddr(addr, sizeof(addr), &ads->ldap.ss);
680 DEBUG(3,("Successfully contacted LDAP server %s\n", addr));
681
682 if (!ads->auth.user_name) {
683 /* Must use the userPrincipalName value here or sAMAccountName
684 and not servicePrincipalName; found by Guenther Deschner */
685
686 if (asprintf(&ads->auth.user_name, "%s$", lp_netbios_name() ) == -1) {
687 DEBUG(0,("ads_connect: asprintf fail.\n"));
688 ads->auth.user_name = NULL;
689 }
690 }
691
692 if (!ads->auth.realm) {
693 ads->auth.realm = SMB_STRDUP(ads->config.realm);
694 }
695
696 if (!ads->auth.kdc_server) {
697 print_sockaddr(addr, sizeof(addr), &ads->ldap.ss);
698 ads->auth.kdc_server = SMB_STRDUP(addr);
699 }
700
701 /* If the caller() requested no LDAP bind, then we are done */
702
703 if (ads->auth.flags & ADS_AUTH_NO_BIND) {
704 status = ADS_SUCCESS;
705 goto out;
706 }
707
708 ads->ldap.mem_ctx = talloc_init("ads LDAP connection memory");
709 if (!ads->ldap.mem_ctx) {
710 status = ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
711 goto out;
712 }
713
714 /* Otherwise setup the TCP LDAP session */
715
716 ads->ldap.ld = ldap_open_with_timeout(ads->config.ldap_server_name,
717 &ads->ldap.ss,
718 ads->ldap.port, lp_ldap_timeout());
719 if (ads->ldap.ld == NULL) {
720 status = ADS_ERROR(LDAP_OPERATIONS_ERROR);
721 goto out;
722 }
723 DEBUG(3,("Connected to LDAP server %s\n", ads->config.ldap_server_name));
724
725 /* cache the successful connection for workgroup and realm */
726 if (ads_closest_dc(ads)) {
727 saf_store( ads->server.workgroup, ads->config.ldap_server_name);
728 saf_store( ads->server.realm, ads->config.ldap_server_name);
729 }
730
731 ldap_set_option(ads->ldap.ld, LDAP_OPT_PROTOCOL_VERSION, &version);
732
733 if ( lp_ldap_ssl_ads() ) {
734 status = ADS_ERROR(smbldap_start_tls(ads->ldap.ld, version));
735 if (!ADS_ERR_OK(status)) {
736 goto out;
737 }
738 }
739
740 /* fill in the current time and offsets */
741
742 status = ads_current_time( ads );
743 if ( !ADS_ERR_OK(status) ) {
744 goto out;
745 }
746
747 /* Now do the bind */
748
749 if (ads->auth.flags & ADS_AUTH_ANON_BIND) {
750 status = ADS_ERROR(ldap_simple_bind_s(ads->ldap.ld, NULL, NULL));
751 goto out;
752 }
753
754 if (ads->auth.flags & ADS_AUTH_SIMPLE_BIND) {
755 status = ADS_ERROR(ldap_simple_bind_s(ads->ldap.ld, ads->auth.user_name, ads->auth.password));
756 goto out;
757 }
758
759 status = ads_sasl_bind(ads);
760
761 out:
762 if (DEBUGLEVEL >= 11) {
763 char *s = NDR_PRINT_STRUCT_STRING(talloc_tos(), ads_struct, ads);
764 DEBUG(11,("ads_connect: leaving with: %s\n",
765 ads_errstr(status)));
766 DEBUGADD(11,("%s\n", s));
767 TALLOC_FREE(s);
768 }
769
770 return status;
771 }
772
773 /**
774 * Connect to the LDAP server using given credentials
775 * @param ads Pointer to an existing ADS_STRUCT
776 * @return status of connection
777 **/
778 ADS_STATUS ads_connect_user_creds(ADS_STRUCT *ads)
779 {
780 ads->auth.flags |= ADS_AUTH_USER_CREDS;
781
782 return ads_connect(ads);
783 }
784
785 /**
786 * Disconnect the LDAP server
787 * @param ads Pointer to an existing ADS_STRUCT
788 **/
789 void ads_disconnect(ADS_STRUCT *ads)
790 {
791 if (ads->ldap.ld) {
792 ldap_unbind(ads->ldap.ld);
793 ads->ldap.ld = NULL;
794 }
795 if (ads->ldap.wrap_ops && ads->ldap.wrap_ops->disconnect) {
796 ads->ldap.wrap_ops->disconnect(ads);
797 }
798 if (ads->ldap.mem_ctx) {
799 talloc_free(ads->ldap.mem_ctx);
800 }
801 ZERO_STRUCT(ads->ldap);
802 }
803
804 /*
805 Duplicate a struct berval into talloc'ed memory
806 */
807 static struct berval *dup_berval(TALLOC_CTX *ctx, const struct berval *in_val)
808 {
809 struct berval *value;
810
811 if (!in_val) return NULL;
812
813 value = talloc_zero(ctx, struct berval);
814 if (value == NULL)
815 return NULL;
816 if (in_val->bv_len == 0) return value;
817
818 value->bv_len = in_val->bv_len;
819 value->bv_val = (char *)talloc_memdup(ctx, in_val->bv_val,
820 in_val->bv_len);
821 return value;
822 }
823
824 /*
825 Make a values list out of an array of (struct berval *)
826 */
827 static struct berval **ads_dup_values(TALLOC_CTX *ctx,
828 const struct berval **in_vals)
829 {
830 struct berval **values;
831 int i;
832
833 if (!in_vals) return NULL;
834 for (i=0; in_vals[i]; i++)
835 ; /* count values */
836 values = talloc_zero_array(ctx, struct berval *, i+1);
837 if (!values) return NULL;
838
839 for (i=0; in_vals[i]; i++) {
840 values[i] = dup_berval(ctx, in_vals[i]);
841 }
842 return values;
843 }
844
845 /*
846 UTF8-encode a values list out of an array of (char *)
847 */
848 static char **ads_push_strvals(TALLOC_CTX *ctx, const char **in_vals)
849 {
850 char **values;
851 int i;
852 size_t size;
853
854 if (!in_vals) return NULL;
855 for (i=0; in_vals[i]; i++)
856 ; /* count values */
857 values = talloc_zero_array(ctx, char *, i+1);
858 if (!values) return NULL;
859
860 for (i=0; in_vals[i]; i++) {
861 if (!push_utf8_talloc(ctx, &values[i], in_vals[i], &size)) {
862 TALLOC_FREE(values);
863 return NULL;
864 }
865 }
866 return values;
867 }
868
869 /*
870 Pull a (char *) array out of a UTF8-encoded values list
871 */
872 static char **ads_pull_strvals(TALLOC_CTX *ctx, const char **in_vals)
873 {
874 char **values;
875 int i;
876 size_t converted_size;
877
878 if (!in_vals) return NULL;
879 for (i=0; in_vals[i]; i++)
880 ; /* count values */
881 values = talloc_zero_array(ctx, char *, i+1);
882 if (!values) return NULL;
883
884 for (i=0; in_vals[i]; i++) {
885 if (!pull_utf8_talloc(ctx, &values[i], in_vals[i],
886 &converted_size)) {
887 DEBUG(0,("ads_pull_strvals: pull_utf8_talloc failed: "
888 "%s", strerror(errno)));
889 }
890 }
891 return values;
892 }
893
894 /**
895 * Do a search with paged results. cookie must be null on the first
896 * call, and then returned on each subsequent call. It will be null
897 * again when the entire search is complete
898 * @param ads connection to ads server
899 * @param bind_path Base dn for the search
900 * @param scope Scope of search (LDAP_SCOPE_BASE | LDAP_SCOPE_ONE | LDAP_SCOPE_SUBTREE)
901 * @param expr Search expression - specified in local charset
902 * @param attrs Attributes to retrieve - specified in utf8 or ascii
903 * @param res ** which will contain results - free res* with ads_msgfree()
904 * @param count Number of entries retrieved on this page
905 * @param cookie The paged results cookie to be returned on subsequent calls
906 * @return status of search
907 **/
908 static ADS_STATUS ads_do_paged_search_args(ADS_STRUCT *ads,
909 const char *bind_path,
910 int scope, const char *expr,
911 const char **attrs, void *args,
912 LDAPMessage **res,
913 int *count, struct berval **cookie)
914 {
915 int rc, i, version;
916 char *utf8_expr, *utf8_path, **search_attrs = NULL;
917 size_t converted_size;
918 LDAPControl PagedResults, NoReferrals, ExternalCtrl, *controls[4], **rcontrols;
919 BerElement *cookie_be = NULL;
920 struct berval *cookie_bv= NULL;
921 BerElement *ext_be = NULL;
922 struct berval *ext_bv= NULL;
923
924 TALLOC_CTX *ctx;
925 ads_control *external_control = (ads_control *) args;
926
927 *res = NULL;
928
929 if (!(ctx = talloc_init("ads_do_paged_search_args")))
930 return ADS_ERROR(LDAP_NO_MEMORY);
931
932 /* 0 means the conversion worked but the result was empty
933 so we only fail if it's -1. In any case, it always
934 at least nulls out the dest */
935 if (!push_utf8_talloc(ctx, &utf8_expr, expr, &converted_size) ||
936 !push_utf8_talloc(ctx, &utf8_path, bind_path, &converted_size))
937 {
938 rc = LDAP_NO_MEMORY;
939 goto done;
940 }
941
942 if (!attrs || !(*attrs))
943 search_attrs = NULL;
944 else {
945 /* This would be the utf8-encoded version...*/
946 /* if (!(search_attrs = ads_push_strvals(ctx, attrs))) */
947 if (!(search_attrs = str_list_copy(talloc_tos(), attrs))) {
948 rc = LDAP_NO_MEMORY;
949 goto done;
950 }
951 }
952
953 /* Paged results only available on ldap v3 or later */
954 ldap_get_option(ads->ldap.ld, LDAP_OPT_PROTOCOL_VERSION, &version);
955 if (version < LDAP_VERSION3) {
956 rc = LDAP_NOT_SUPPORTED;
957 goto done;
958 }
959
960 cookie_be = ber_alloc_t(LBER_USE_DER);
961 if (*cookie) {
962 ber_printf(cookie_be, "{iO}", (ber_int_t) ads->config.ldap_page_size, *cookie);
963 ber_bvfree(*cookie); /* don't need it from last time */
964 *cookie = NULL;
965 } else {
966 ber_printf(cookie_be, "{io}", (ber_int_t) ads->config.ldap_page_size, "", 0);
967 }
968 ber_flatten(cookie_be, &cookie_bv);
969 PagedResults.ldctl_oid = discard_const_p(char, ADS_PAGE_CTL_OID);
970 PagedResults.ldctl_iscritical = (char) 1;
971 PagedResults.ldctl_value.bv_len = cookie_bv->bv_len;
972 PagedResults.ldctl_value.bv_val = cookie_bv->bv_val;
973
974 NoReferrals.ldctl_oid = discard_const_p(char, ADS_NO_REFERRALS_OID);
975 NoReferrals.ldctl_iscritical = (char) 0;
976 NoReferrals.ldctl_value.bv_len = 0;
977 NoReferrals.ldctl_value.bv_val = discard_const_p(char, "");
978
979 if (external_control &&
980 (strequal(external_control->control, ADS_EXTENDED_DN_OID) ||
981 strequal(external_control->control, ADS_SD_FLAGS_OID))) {
982
983 ExternalCtrl.ldctl_oid = discard_const_p(char, external_control->control);
984 ExternalCtrl.ldctl_iscritical = (char) external_control->critical;
985
986 /* win2k does not accept a ldctl_value beeing passed in */
987
988 if (external_control->val != 0) {
989
990 if ((ext_be = ber_alloc_t(LBER_USE_DER)) == NULL ) {
991 rc = LDAP_NO_MEMORY;
992 goto done;
993 }
994
995 if ((ber_printf(ext_be, "{i}", (ber_int_t) external_control->val)) == -1) {
996 rc = LDAP_NO_MEMORY;
997 goto done;
998 }
999 if ((ber_flatten(ext_be, &ext_bv)) == -1) {
1000 rc = LDAP_NO_MEMORY;
1001 goto done;
1002 }
1003
1004 ExternalCtrl.ldctl_value.bv_len = ext_bv->bv_len;
1005 ExternalCtrl.ldctl_value.bv_val = ext_bv->bv_val;
1006
1007 } else {
1008 ExternalCtrl.ldctl_value.bv_len = 0;
1009 ExternalCtrl.ldctl_value.bv_val = NULL;
1010 }
1011
1012 controls[0] = &NoReferrals;
1013 controls[1] = &PagedResults;
1014 controls[2] = &ExternalCtrl;
1015 controls[3] = NULL;
1016
1017 } else {
1018 controls[0] = &NoReferrals;
1019 controls[1] = &PagedResults;
1020 controls[2] = NULL;
1021 }
1022
1023 /* we need to disable referrals as the openldap libs don't
1024 handle them and paged results at the same time. Using them
1025 together results in the result record containing the server
1026 page control being removed from the result list (tridge/jmcd)
1027
1028 leaving this in despite the control that says don't generate
1029 referrals, in case the server doesn't support it (jmcd)
1030 */
1031 ldap_set_option(ads->ldap.ld, LDAP_OPT_REFERRALS, LDAP_OPT_OFF);
1032
1033 rc = ldap_search_with_timeout(ads->ldap.ld, utf8_path, scope, utf8_expr,
1034 search_attrs, 0, controls,
1035 NULL, LDAP_NO_LIMIT,
1036 (LDAPMessage **)res);
1037
1038 ber_free(cookie_be, 1);
1039 ber_bvfree(cookie_bv);
1040
1041 if (rc) {
1042 DEBUG(3,("ads_do_paged_search_args: ldap_search_with_timeout(%s) -> %s\n", expr,
1043 ldap_err2string(rc)));
1044 if (rc == LDAP_OTHER) {
1045 char *ldap_errmsg;
1046 int ret;
1047
1048 ret = ldap_parse_result(ads->ldap.ld,
1049 *res,
1050 NULL,
1051 NULL,
1052 &ldap_errmsg,
1053 NULL,
1054 NULL,
1055 0);
1056 if (ret == LDAP_SUCCESS) {
1057 DEBUG(3, ("ldap_search_with_timeout(%s) "
1058 "error: %s\n", expr, ldap_errmsg));
1059 ldap_memfree(ldap_errmsg);
1060 }
1061 }
1062 goto done;
1063 }
1064
1065 rc = ldap_parse_result(ads->ldap.ld, *res, NULL, NULL, NULL,
1066 NULL, &rcontrols, 0);
1067
1068 if (!rcontrols) {
1069 goto done;
1070 }
1071
1072 for (i=0; rcontrols[i]; i++) {
1073 if (strcmp(ADS_PAGE_CTL_OID, rcontrols[i]->ldctl_oid) == 0) {
1074 cookie_be = ber_init(&rcontrols[i]->ldctl_value);
1075 ber_scanf(cookie_be,"{iO}", (ber_int_t *) count,
1076 &cookie_bv);
1077 /* the berval is the cookie, but must be freed when
1078 it is all done */
1079 if (cookie_bv->bv_len) /* still more to do */
1080 *cookie=ber_bvdup(cookie_bv);
1081 else
1082 *cookie=NULL;
1083 ber_bvfree(cookie_bv);
1084 ber_free(cookie_be, 1);
1085 break;
1086 }
1087 }
1088 ldap_controls_free(rcontrols);
1089
1090 done:
1091 talloc_destroy(ctx);
1092
1093 if (ext_be) {
1094 ber_free(ext_be, 1);
1095 }
1096
1097 if (ext_bv) {
1098 ber_bvfree(ext_bv);
1099 }
1100
1101 /* if/when we decide to utf8-encode attrs, take out this next line */
1102 TALLOC_FREE(search_attrs);
1103
1104 return ADS_ERROR(rc);
1105 }
1106
1107 static ADS_STATUS ads_do_paged_search(ADS_STRUCT *ads, const char *bind_path,
1108 int scope, const char *expr,
1109 const char **attrs, LDAPMessage **res,
1110 int *count, struct berval **cookie)
1111 {
1112 return ads_do_paged_search_args(ads, bind_path, scope, expr, attrs, NULL, res, count, cookie);
1113 }
1114
1115
1116 /**
1117 * Get all results for a search. This uses ads_do_paged_search() to return
1118 * all entries in a large search.
1119 * @param ads connection to ads server
1120 * @param bind_path Base dn for the search
1121 * @param scope Scope of search (LDAP_SCOPE_BASE | LDAP_SCOPE_ONE | LDAP_SCOPE_SUBTREE)
1122 * @param expr Search expression
1123 * @param attrs Attributes to retrieve
1124 * @param res ** which will contain results - free res* with ads_msgfree()
1125 * @return status of search
1126 **/
1127 ADS_STATUS ads_do_search_all_args(ADS_STRUCT *ads, const char *bind_path,
1128 int scope, const char *expr,
1129 const char **attrs, void *args,
1130 LDAPMessage **res)
1131 {
1132 struct berval *cookie = NULL;
1133 int count = 0;
1134 ADS_STATUS status;
1135
1136 *res = NULL;
1137 status = ads_do_paged_search_args(ads, bind_path, scope, expr, attrs, args, res,
1138 &count, &cookie);
1139
1140 if (!ADS_ERR_OK(status))
1141 return status;
1142
1143 #ifdef HAVE_LDAP_ADD_RESULT_ENTRY
1144 while (cookie) {
1145 LDAPMessage *res2 = NULL;
1146 LDAPMessage *msg, *next;
1147
1148 status = ads_do_paged_search_args(ads, bind_path, scope, expr,
1149 attrs, args, &res2, &count, &cookie);
1150 if (!ADS_ERR_OK(status)) {
1151 /* Ensure we free all collected results */
1152 ads_msgfree(ads, *res);
1153 *res = NULL;
1154 break;
1155 }
1156
1157 /* this relies on the way that ldap_add_result_entry() works internally. I hope
1158 that this works on all ldap libs, but I have only tested with openldap */
1159 for (msg = ads_first_message(ads, res2); msg; msg = next) {
1160 next = ads_next_message(ads, msg);
1161 ldap_add_result_entry((LDAPMessage **)res, msg);
1162 }
1163 /* note that we do not free res2, as the memory is now
1164 part of the main returned list */
1165 }
1166 #else
1167 DEBUG(0, ("no ldap_add_result_entry() support in LDAP libs!\n"));
1168 status = ADS_ERROR_NT(NT_STATUS_UNSUCCESSFUL);
1169 #endif
1170
1171 return status;
1172 }
1173
1174 ADS_STATUS ads_do_search_all(ADS_STRUCT *ads, const char *bind_path,
1175 int scope, const char *expr,
1176 const char **attrs, LDAPMessage **res)
1177 {
1178 return ads_do_search_all_args(ads, bind_path, scope, expr, attrs, NULL, res);
1179 }
1180
1181 ADS_STATUS ads_do_search_all_sd_flags(ADS_STRUCT *ads, const char *bind_path,
1182 int scope, const char *expr,
1183 const char **attrs, uint32 sd_flags,
1184 LDAPMessage **res)
1185 {
1186 ads_control args;
1187
1188 args.control = ADS_SD_FLAGS_OID;
1189 args.val = sd_flags;
1190 args.critical = True;
1191
1192 return ads_do_search_all_args(ads, bind_path, scope, expr, attrs, &args, res);
1193 }
1194
1195
1196 /**
1197 * Run a function on all results for a search. Uses ads_do_paged_search() and
1198 * runs the function as each page is returned, using ads_process_results()
1199 * @param ads connection to ads server
1200 * @param bind_path Base dn for the search
1201 * @param scope Scope of search (LDAP_SCOPE_BASE | LDAP_SCOPE_ONE | LDAP_SCOPE_SUBTREE)
1202 * @param expr Search expression - specified in local charset
1203 * @param attrs Attributes to retrieve - specified in UTF-8 or ascii
1204 * @param fn Function which takes attr name, values list, and data_area
1205 * @param data_area Pointer which is passed to function on each call
1206 * @return status of search
1207 **/
1208 ADS_STATUS ads_do_search_all_fn(ADS_STRUCT *ads, const char *bind_path,
1209 int scope, const char *expr, const char **attrs,
1210 bool (*fn)(ADS_STRUCT *, char *, void **, void *),
1211 void *data_area)
1212 {
1213 struct berval *cookie = NULL;
1214 int count = 0;
1215 ADS_STATUS status;
1216 LDAPMessage *res;
1217
1218 status = ads_do_paged_search(ads, bind_path, scope, expr, attrs, &res,
1219 &count, &cookie);
1220
1221 if (!ADS_ERR_OK(status)) return status;
1222
1223 ads_process_results(ads, res, fn, data_area);
1224 ads_msgfree(ads, res);
1225
1226 while (cookie) {
1227 status = ads_do_paged_search(ads, bind_path, scope, expr, attrs,
1228 &res, &count, &cookie);
1229
1230 if (!ADS_ERR_OK(status)) break;
1231
1232 ads_process_results(ads, res, fn, data_area);
1233 ads_msgfree(ads, res);
1234 }
1235
1236 return status;
1237 }
1238
1239 /**
1240 * Do a search with a timeout.
1241 * @param ads connection to ads server
1242 * @param bind_path Base dn for the search
1243 * @param scope Scope of search (LDAP_SCOPE_BASE | LDAP_SCOPE_ONE | LDAP_SCOPE_SUBTREE)
1244 * @param expr Search expression
1245 * @param attrs Attributes to retrieve
1246 * @param res ** which will contain results - free res* with ads_msgfree()
1247 * @return status of search
1248 **/
1249 ADS_STATUS ads_do_search(ADS_STRUCT *ads, const char *bind_path, int scope,
1250 const char *expr,
1251 const char **attrs, LDAPMessage **res)
1252 {
1253 int rc;
1254 char *utf8_expr, *utf8_path, **search_attrs = NULL;
1255 size_t converted_size;
1256 TALLOC_CTX *ctx;
1257
1258 *res = NULL;
1259 if (!(ctx = talloc_init("ads_do_search"))) {
1260 DEBUG(1,("ads_do_search: talloc_init() failed!"));
1261 return ADS_ERROR(LDAP_NO_MEMORY);
1262 }
1263
1264 /* 0 means the conversion worked but the result was empty
1265 so we only fail if it's negative. In any case, it always
1266 at least nulls out the dest */
1267 if (!push_utf8_talloc(ctx, &utf8_expr, expr, &converted_size) ||
1268 !push_utf8_talloc(ctx, &utf8_path, bind_path, &converted_size))
1269 {
1270 DEBUG(1,("ads_do_search: push_utf8_talloc() failed!"));
1271 rc = LDAP_NO_MEMORY;
1272 goto done;
1273 }
1274
1275 if (!attrs || !(*attrs))
1276 search_attrs = NULL;
1277 else {
1278 /* This would be the utf8-encoded version...*/
1279 /* if (!(search_attrs = ads_push_strvals(ctx, attrs))) */
1280 if (!(search_attrs = str_list_copy(talloc_tos(), attrs)))
1281 {
1282 DEBUG(1,("ads_do_search: str_list_copy() failed!"));
1283 rc = LDAP_NO_MEMORY;
1284 goto done;
1285 }
1286 }
1287
1288 /* see the note in ads_do_paged_search - we *must* disable referrals */
1289 ldap_set_option(ads->ldap.ld, LDAP_OPT_REFERRALS, LDAP_OPT_OFF);
1290
1291 rc = ldap_search_with_timeout(ads->ldap.ld, utf8_path, scope, utf8_expr,
1292 search_attrs, 0, NULL, NULL,
1293 LDAP_NO_LIMIT,
1294 (LDAPMessage **)res);
1295
1296 if (rc == LDAP_SIZELIMIT_EXCEEDED) {
1297 DEBUG(3,("Warning! sizelimit exceeded in ldap. Truncating.\n"));
1298 rc = 0;
1299 }
1300
1301 done:
1302 talloc_destroy(ctx);
1303 /* if/when we decide to utf8-encode attrs, take out this next line */
1304 TALLOC_FREE(search_attrs);
1305 return ADS_ERROR(rc);
1306 }
1307 /**
1308 * Do a general ADS search
1309 * @param ads connection to ads server
1310 * @param res ** which will contain results - free res* with ads_msgfree()
1311 * @param expr Search expression
1312 * @param attrs Attributes to retrieve
1313 * @return status of search
1314 **/
1315 ADS_STATUS ads_search(ADS_STRUCT *ads, LDAPMessage **res,
1316 const char *expr, const char **attrs)
1317 {
1318 return ads_do_search(ads, ads->config.bind_path, LDAP_SCOPE_SUBTREE,
1319 expr, attrs, res);
1320 }
1321
1322 /**
1323 * Do a search on a specific DistinguishedName
1324 * @param ads connection to ads server
1325 * @param res ** which will contain results - free res* with ads_msgfree()
1326 * @param dn DistinguishName to search
1327 * @param attrs Attributes to retrieve
1328 * @return status of search
1329 **/
1330 ADS_STATUS ads_search_dn(ADS_STRUCT *ads, LDAPMessage **res,
1331 const char *dn, const char **attrs)
1332 {
1333 return ads_do_search(ads, dn, LDAP_SCOPE_BASE, "(objectclass=*)",
1334 attrs, res);
1335 }
1336
1337 /**
1338 * Free up memory from a ads_search
1339 * @param ads connection to ads server
1340 * @param msg Search results to free
1341 **/
1342 void ads_msgfree(ADS_STRUCT *ads, LDAPMessage *msg)
1343 {
1344 if (!msg) return;
1345 ldap_msgfree(msg);
1346 }
1347
1348 /**
1349 * Get a dn from search results
1350 * @param ads connection to ads server
1351 * @param msg Search result
1352 * @return dn string
1353 **/
1354 char *ads_get_dn(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, LDAPMessage *msg)
1355 {
1356 char *utf8_dn, *unix_dn;
1357 size_t converted_size;
1358
1359 utf8_dn = ldap_get_dn(ads->ldap.ld, msg);
1360
1361 if (!utf8_dn) {
1362 DEBUG (5, ("ads_get_dn: ldap_get_dn failed\n"));
1363 return NULL;
1364 }
1365
1366 if (!pull_utf8_talloc(mem_ctx, &unix_dn, utf8_dn, &converted_size)) {
1367 DEBUG(0,("ads_get_dn: string conversion failure utf8 [%s]\n",
1368 utf8_dn ));
1369 return NULL;
1370 }
1371 ldap_memfree(utf8_dn);
1372 return unix_dn;
1373 }
1374
1375 /**
1376 * Get the parent from a dn
1377 * @param dn the dn to return the parent from
1378 * @return parent dn string
1379 **/
1380 char *ads_parent_dn(const char *dn)
1381 {
1382 char *p;
1383
1384 if (dn == NULL) {
1385 return NULL;
1386 }
1387
1388 p = strchr(dn, ',');
1389
1390 if (p == NULL) {
1391 return NULL;
1392 }
1393
1394 return p+1;
1395 }
1396
1397 /**
1398 * Find a machine account given a hostname
1399 * @param ads connection to ads server
1400 * @param res ** which will contain results - free res* with ads_msgfree()
1401 * @param host Hostname to search for
1402 * @return status of search
1403 **/
1404 ADS_STATUS ads_find_machine_acct(ADS_STRUCT *ads, LDAPMessage **res,
1405 const char *machine)
1406 {
1407 ADS_STATUS status;
1408 char *expr;
1409 const char *attrs[] = {"*", "nTSecurityDescriptor", NULL};
1410
1411 *res = NULL;
1412
1413 /* the easiest way to find a machine account anywhere in the tree
1414 is to look for hostname$ */
1415 if (asprintf(&expr, "(samAccountName=%s$)", machine) == -1) {
1416 DEBUG(1, ("asprintf failed!\n"));
1417 return ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
1418 }
1419
1420 status = ads_search(ads, res, expr, attrs);
1421 SAFE_FREE(expr);
1422 return status;
1423 }
1424
1425 /**
1426 * Initialize a list of mods to be used in a modify request
1427 * @param ctx An initialized TALLOC_CTX
1428 * @return allocated ADS_MODLIST
1429 **/
1430 ADS_MODLIST ads_init_mods(TALLOC_CTX *ctx)
1431 {
1432 #define ADS_MODLIST_ALLOC_SIZE 10
1433 LDAPMod **mods;
1434
1435 if ((mods = talloc_zero_array(ctx, LDAPMod *, ADS_MODLIST_ALLOC_SIZE + 1)))
1436 /* -1 is safety to make sure we don't go over the end.
1437 need to reset it to NULL before doing ldap modify */
1438 mods[ADS_MODLIST_ALLOC_SIZE] = (LDAPMod *) -1;
1439
1440 return (ADS_MODLIST)mods;
1441 }
1442
1443
1444 /*
1445 add an attribute to the list, with values list already constructed
1446 */
1447 static ADS_STATUS ads_modlist_add(TALLOC_CTX *ctx, ADS_MODLIST *mods,
1448 int mod_op, const char *name,
1449 const void *_invals)
1450 {
1451 const void **invals = (const void **)_invals;
1452 int curmod;
1453 LDAPMod **modlist = (LDAPMod **) *mods;
1454 struct berval **ber_values = NULL;
1455 char **char_values = NULL;
1456
1457 if (!invals) {
1458 mod_op = LDAP_MOD_DELETE;
1459 } else {
1460 if (mod_op & LDAP_MOD_BVALUES)
1461 ber_values = ads_dup_values(ctx,
1462 (const struct berval **)invals);
1463 else
1464 char_values = ads_push_strvals(ctx,
1465 (const char **) invals);
1466 }
1467
1468 /* find the first empty slot */
1469 for (curmod=0; modlist[curmod] && modlist[curmod] != (LDAPMod *) -1;
1470 curmod++);
1471 if (modlist[curmod] == (LDAPMod *) -1) {
1472 if (!(modlist = talloc_realloc(ctx, modlist, LDAPMod *,
1473 curmod+ADS_MODLIST_ALLOC_SIZE+1)))
1474 return ADS_ERROR(LDAP_NO_MEMORY);
1475 memset(&modlist[curmod], 0,
1476 ADS_MODLIST_ALLOC_SIZE*sizeof(LDAPMod *));
1477 modlist[curmod+ADS_MODLIST_ALLOC_SIZE] = (LDAPMod *) -1;
1478 *mods = (ADS_MODLIST)modlist;
1479 }
1480
1481 if (!(modlist[curmod] = talloc_zero(ctx, LDAPMod)))
1482 return ADS_ERROR(LDAP_NO_MEMORY);
1483 modlist[curmod]->mod_type = talloc_strdup(ctx, name);
1484 if (mod_op & LDAP_MOD_BVALUES) {
1485 modlist[curmod]->mod_bvalues = ber_values;
1486 } else if (mod_op & LDAP_MOD_DELETE) {
1487 modlist[curmod]->mod_values = NULL;
1488 } else {
1489 modlist[curmod]->mod_values = char_values;
1490 }
1491
1492 modlist[curmod]->mod_op = mod_op;
1493 return ADS_ERROR(LDAP_SUCCESS);
1494 }
1495
1496 /**
1497 * Add a single string value to a mod list
1498 * @param ctx An initialized TALLOC_CTX
1499 * @param mods An initialized ADS_MODLIST
1500 * @param name The attribute name to add
1501 * @param val The value to add - NULL means DELETE
1502 * @return ADS STATUS indicating success of add
1503 **/
1504 ADS_STATUS ads_mod_str(TALLOC_CTX *ctx, ADS_MODLIST *mods,
1505 const char *name, const char *val)
1506 {
1507 const char *values[2];
1508
1509 values[0] = val;
1510 values[1] = NULL;
1511
1512 if (!val)
1513 return ads_modlist_add(ctx, mods, LDAP_MOD_DELETE, name, NULL);
1514 return ads_modlist_add(ctx, mods, LDAP_MOD_REPLACE, name, values);
1515 }
1516
1517 /**
1518 * Add an array of string values to a mod list
1519 * @param ctx An initialized TALLOC_CTX
1520 * @param mods An initialized ADS_MODLIST
1521 * @param name The attribute name to add
1522 * @param vals The array of string values to add - NULL means DELETE
1523 * @return ADS STATUS indicating success of add
1524 **/
1525 ADS_STATUS ads_mod_strlist(TALLOC_CTX *ctx, ADS_MODLIST *mods,
1526 const char *name, const char **vals)
1527 {
1528 if (!vals)
1529 return ads_modlist_add(ctx, mods, LDAP_MOD_DELETE, name, NULL);
1530 return ads_modlist_add(ctx, mods, LDAP_MOD_REPLACE,
1531 name, (const void **) vals);
1532 }
1533
1534 #if 0
1535 /**
1536 * Add a single ber-encoded value to a mod list
1537 * @param ctx An initialized TALLOC_CTX
1538 * @param mods An initialized ADS_MODLIST
1539 * @param name The attribute name to add
1540 * @param val The value to add - NULL means DELETE
1541 * @return ADS STATUS indicating success of add
1542 **/
1543 static ADS_STATUS ads_mod_ber(TALLOC_CTX *ctx, ADS_MODLIST *mods,
1544 const char *name, const struct berval *val)
1545 {
1546 const struct berval *values[2];
1547
1548 values[0] = val;
1549 values[1] = NULL;
1550 if (!val)
1551 return ads_modlist_add(ctx, mods, LDAP_MOD_DELETE, name, NULL);
1552 return ads_modlist_add(ctx, mods, LDAP_MOD_REPLACE|LDAP_MOD_BVALUES,
1553 name, (const void **) values);
1554 }
1555 #endif
1556
1557 /**
1558 * Perform an ldap modify
1559 * @param ads connection to ads server
1560 * @param mod_dn DistinguishedName to modify
1561 * @param mods list of modifications to perform
1562 * @return status of modify
1563 **/
1564 ADS_STATUS ads_gen_mod(ADS_STRUCT *ads, const char *mod_dn, ADS_MODLIST mods)
1565 {
1566 int ret,i;
1567 char *utf8_dn = NULL;
1568 size_t converted_size;
1569 /*
1570 this control is needed to modify that contains a currently
1571 non-existent attribute (but allowable for the object) to run
1572 */
1573 LDAPControl PermitModify = {
1574 discard_const_p(char, ADS_PERMIT_MODIFY_OID),
1575 {0, NULL},
1576 (char) 1};
1577 LDAPControl *controls[2];
1578
1579 controls[0] = &PermitModify;
1580 controls[1] = NULL;
1581
1582 if (!push_utf8_talloc(talloc_tos(), &utf8_dn, mod_dn, &converted_size)) {
1583 return ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
1584 }
1585
1586 /* find the end of the list, marked by NULL or -1 */
1587 for(i=0;(mods[i]!=0)&&(mods[i]!=(LDAPMod *) -1);i++);
1588 /* make sure the end of the list is NULL */
1589 mods[i] = NULL;
1590 ret = ldap_modify_ext_s(ads->ldap.ld, utf8_dn,
1591 (LDAPMod **) mods, controls, NULL);
1592 TALLOC_FREE(utf8_dn);
1593 return ADS_ERROR(ret);
1594 }
1595
1596 /**
1597 * Perform an ldap add
1598 * @param ads connection to ads server
1599 * @param new_dn DistinguishedName to add
1600 * @param mods list of attributes and values for DN
1601 * @return status of add
1602 **/
1603 ADS_STATUS ads_gen_add(ADS_STRUCT *ads, const char *new_dn, ADS_MODLIST mods)
1604 {
1605 int ret, i;
1606 char *utf8_dn = NULL;
1607 size_t converted_size;
1608
1609 if (!push_utf8_talloc(talloc_tos(), &utf8_dn, new_dn, &converted_size)) {
1610 DEBUG(1, ("ads_gen_add: push_utf8_talloc failed!"));
1611 return ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
1612 }
1613
1614 /* find the end of the list, marked by NULL or -1 */
1615 for(i=0;(mods[i]!=0)&&(mods[i]!=(LDAPMod *) -1);i++);
1616 /* make sure the end of the list is NULL */
1617 mods[i] = NULL;
1618
1619 ret = ldap_add_s(ads->ldap.ld, utf8_dn, (LDAPMod**)mods);
1620 TALLOC_FREE(utf8_dn);
1621 return ADS_ERROR(ret);
1622 }
1623
1624 /**
1625 * Delete a DistinguishedName
1626 * @param ads connection to ads server
1627 * @param new_dn DistinguishedName to delete
1628 * @return status of delete
1629 **/
1630 ADS_STATUS ads_del_dn(ADS_STRUCT *ads, char *del_dn)
1631 {
1632 int ret;
1633 char *utf8_dn = NULL;
1634 size_t converted_size;
1635 if (!push_utf8_talloc(talloc_tos(), &utf8_dn, del_dn, &converted_size)) {
1636 DEBUG(1, ("ads_del_dn: push_utf8_talloc failed!"));
1637 return ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
1638 }
1639
1640 ret = ldap_delete_s(ads->ldap.ld, utf8_dn);
1641 TALLOC_FREE(utf8_dn);
1642 return ADS_ERROR(ret);
1643 }
1644
1645 /**
1646 * Build an org unit string
1647 * if org unit is Computers or blank then assume a container, otherwise
1648 * assume a / separated list of organisational units.
1649 * jmcd: '\' is now used for escapes so certain chars can be in the ou (e.g. #)
1650 * @param ads connection to ads server
1651 * @param org_unit Organizational unit
1652 * @return org unit string - caller must free
1653 **/
1654 char *ads_ou_string(ADS_STRUCT *ads, const char *org_unit)
1655 {
1656 char *ret = NULL;
1657
1658 if (!org_unit || !*org_unit) {
1659
1660 ret = ads_default_ou_string(ads, DS_GUID_COMPUTERS_CONTAINER);
1661
1662 /* samba4 might not yet respond to a wellknownobject-query */
1663 return ret ? ret : SMB_STRDUP("cn=Computers");
1664 }
1665
1666 if (strequal(org_unit, "Computers")) {
1667 return SMB_STRDUP("cn=Computers");
1668 }
1669
1670 /* jmcd: removed "\\" from the separation chars, because it is
1671 needed as an escape for chars like '#' which are valid in an
1672 OU name */
1673 return ads_build_path(org_unit, "/", "ou=", 1);
1674 }
1675
1676 /**
1677 * Get a org unit string for a well-known GUID
1678 * @param ads connection to ads server
1679 * @param wknguid Well known GUID
1680 * @return org unit string - caller must free
1681 **/
1682 char *ads_default_ou_string(ADS_STRUCT *ads, const char *wknguid)
1683 {
1684 ADS_STATUS status;
1685 LDAPMessage *res = NULL;
1686 char *base, *wkn_dn = NULL, *ret = NULL, **wkn_dn_exp = NULL,
1687 **bind_dn_exp = NULL;
1688 const char *attrs[] = {"distinguishedName", NULL};
1689 int new_ln, wkn_ln, bind_ln, i;
1690
1691 if (wknguid == NULL) {
1692 return NULL;
1693 }
1694
1695 if (asprintf(&base, "<WKGUID=%s,%s>", wknguid, ads->config.bind_path ) == -1) {
1696 DEBUG(1, ("asprintf failed!\n"));
1697 return NULL;
1698 }
1699
1700 status = ads_search_dn(ads, &res, base, attrs);
1701 if (!ADS_ERR_OK(status)) {
1702 DEBUG(1,("Failed while searching for: %s\n", base));
1703 goto out;
1704 }
1705
1706 if (ads_count_replies(ads, res) != 1) {
1707 goto out;
1708 }
1709
1710 /* substitute the bind-path from the well-known-guid-search result */
1711 wkn_dn = ads_get_dn(ads, talloc_tos(), res);
1712 if (!wkn_dn) {
1713 goto out;
1714 }
1715
1716 wkn_dn_exp = ldap_explode_dn(wkn_dn, 0);
1717 if (!wkn_dn_exp) {
1718 goto out;
1719 }
1720
1721 bind_dn_exp = ldap_explode_dn(ads->config.bind_path, 0);
1722 if (!bind_dn_exp) {
1723 goto out;
1724 }
1725
1726 for (wkn_ln=0; wkn_dn_exp[wkn_ln]; wkn_ln++)
1727 ;
1728 for (bind_ln=0; bind_dn_exp[bind_ln]; bind_ln++)
1729 ;
1730
1731 new_ln = wkn_ln - bind_ln;
1732
1733 ret = SMB_STRDUP(wkn_dn_exp[0]);
1734 if (!ret) {
1735 goto out;
1736 }
1737
1738 for (i=1; i < new_ln; i++) {
1739 char *s = NULL;
1740
1741 if (asprintf(&s, "%s,%s", ret, wkn_dn_exp[i]) == -1) {
1742 SAFE_FREE(ret);
1743 goto out;
1744 }
1745
1746 SAFE_FREE(ret);
1747 ret = SMB_STRDUP(s);
1748 free(s);
1749 if (!ret) {
1750 goto out;
1751 }
1752 }
1753
1754 out:
1755 SAFE_FREE(base);
1756 ads_msgfree(ads, res);
1757 TALLOC_FREE(wkn_dn);
1758 if (wkn_dn_exp) {
1759 ldap_value_free(wkn_dn_exp);
1760 }
1761 if (bind_dn_exp) {
1762 ldap_value_free(bind_dn_exp);
1763 }
1764
1765 return ret;
1766 }
1767
1768 /**
1769 * Adds (appends) an item to an attribute array, rather then
1770 * replacing the whole list
1771 * @param ctx An initialized TALLOC_CTX
1772 * @param mods An initialized ADS_MODLIST
1773 * @param name name of the ldap attribute to append to
1774 * @param vals an array of values to add
1775 * @return status of addition
1776 **/
1777
1778 ADS_STATUS ads_add_strlist(TALLOC_CTX *ctx, ADS_MODLIST *mods,
1779 const char *name, const char **vals)
1780 {
1781 return ads_modlist_add(ctx, mods, LDAP_MOD_ADD, name,
1782 (const void *) vals);
1783 }
1784
1785 /**
1786 * Determines the an account's current KVNO via an LDAP lookup
1787 * @param ads An initialized ADS_STRUCT
1788 * @param account_name the NT samaccountname.
1789 * @return the kvno for the account, or -1 in case of a failure.
1790 **/
1791
1792 uint32 ads_get_kvno(ADS_STRUCT *ads, const char *account_name)
1793 {
1794 LDAPMessage *res = NULL;
1795 uint32 kvno = (uint32)-1; /* -1 indicates a failure */
1796 char *filter;
1797 const char *attrs[] = {"msDS-KeyVersionNumber", NULL};
1798 char *dn_string = NULL;
1799 ADS_STATUS ret = ADS_ERROR(LDAP_SUCCESS);
1800
1801 DEBUG(5,("ads_get_kvno: Searching for account %s\n", account_name));
1802 if (asprintf(&filter, "(samAccountName=%s)", account_name) == -1) {
1803 return kvno;
1804 }
1805 ret = ads_search(ads, &res, filter, attrs);
1806 SAFE_FREE(filter);
1807 if (!ADS_ERR_OK(ret) || (ads_count_replies(ads, res) != 1)) {
1808 DEBUG(1,("ads_get_kvno: Account for %s not found.\n", account_name));
1809 ads_msgfree(ads, res);
1810 return kvno;
1811 }
1812
1813 dn_string = ads_get_dn(ads, talloc_tos(), res);
1814 if (!dn_string) {
1815 DEBUG(0,("ads_get_kvno: out of memory.\n"));
1816 ads_msgfree(ads, res);
1817 return kvno;
1818 }
1819 DEBUG(5,("ads_get_kvno: Using: %s\n", dn_string));
1820 TALLOC_FREE(dn_string);
1821
1822 /* ---------------------------------------------------------
1823 * 0 is returned as a default KVNO from this point on...
1824 * This is done because Windows 2000 does not support key
1825 * version numbers. Chances are that a failure in the next
1826 * step is simply due to Windows 2000 being used for a
1827 * domain controller. */
1828 kvno = 0;
1829
1830 if (!ads_pull_uint32(ads, res, "msDS-KeyVersionNumber", &kvno)) {
1831 DEBUG(3,("ads_get_kvno: Error Determining KVNO!\n"));
1832 DEBUG(3,("ads_get_kvno: Windows 2000 does not support KVNO's, so this may be normal.\n"));
1833 ads_msgfree(ads, res);
1834 return kvno;
1835 }
1836
1837 /* Success */
1838 DEBUG(5,("ads_get_kvno: Looked Up KVNO of: %d\n", kvno));
1839 ads_msgfree(ads, res);
1840 return kvno;
1841 }
1842
1843 /**
1844 * Determines the computer account's current KVNO via an LDAP lookup
1845 * @param ads An initialized ADS_STRUCT
1846 * @param machine_name the NetBIOS name of the computer, which is used to identify the computer account.
1847 * @return the kvno for the computer account, or -1 in case of a failure.
1848 **/
1849
1850 uint32_t ads_get_machine_kvno(ADS_STRUCT *ads, const char *machine_name)
1851 {
1852 char *computer_account = NULL;
1853 uint32_t kvno = -1;
1854
1855 if (asprintf(&computer_account, "%s$", machine_name) < 0) {
1856 return kvno;
1857 }
1858
1859 kvno = ads_get_kvno(ads, computer_account);
1860 free(computer_account);
1861
1862 return kvno;
1863 }
1864
1865 /**
1866 * This clears out all registered spn's for a given hostname
1867 * @param ads An initilaized ADS_STRUCT
1868 * @param machine_name the NetBIOS name of the computer.
1869 * @return 0 upon success, non-zero otherwise.
1870 **/
1871
1872 ADS_STATUS ads_clear_service_principal_names(ADS_STRUCT *ads, const char *machine_name)
1873 {
1874 TALLOC_CTX *ctx;
1875 LDAPMessage *res = NULL;
1876 ADS_MODLIST mods;
1877 const char *servicePrincipalName[1] = {NULL};
1878 ADS_STATUS ret = ADS_ERROR(LDAP_SUCCESS);
1879 char *dn_string = NULL;
1880
1881 ret = ads_find_machine_acct(ads, &res, machine_name);
1882 if (!ADS_ERR_OK(ret) || ads_count_replies(ads, res) != 1) {
1883 DEBUG(5,("ads_clear_service_principal_names: WARNING: Host Account for %s not found... skipping operation.\n", machine_name));
1884 DEBUG(5,("ads_clear_service_principal_names: WARNING: Service Principals for %s have NOT been cleared.\n", machine_name));
1885 ads_msgfree(ads, res);
1886 return ADS_ERROR(LDAP_NO_SUCH_OBJECT);
1887 }
1888
1889 DEBUG(5,("ads_clear_service_principal_names: Host account for %s found\n", machine_name));
1890 ctx = talloc_init("ads_clear_service_principal_names");
1891 if (!ctx) {
1892 ads_msgfree(ads, res);
1893 return ADS_ERROR(LDAP_NO_MEMORY);
1894 }
1895
1896 if (!(mods = ads_init_mods(ctx))) {
1897 talloc_destroy(ctx);
1898 ads_msgfree(ads, res);
1899 return ADS_ERROR(LDAP_NO_MEMORY);
1900 }
1901 ret = ads_mod_strlist(ctx, &mods, "servicePrincipalName", servicePrincipalName);
1902 if (!ADS_ERR_OK(ret)) {
1903 DEBUG(1,("ads_clear_service_principal_names: Error creating strlist.\n"));
1904 ads_msgfree(ads, res);
1905 talloc_destroy(ctx);
1906 return ret;
1907 }
1908 dn_string = ads_get_dn(ads, talloc_tos(), res);
1909 if (!dn_string) {
1910 talloc_destroy(ctx);
1911 ads_msgfree(ads, res);
1912 return ADS_ERROR(LDAP_NO_MEMORY);
1913 }
1914 ret = ads_gen_mod(ads, dn_string, mods);
1915 TALLOC_FREE(dn_string);
1916 if (!ADS_ERR_OK(ret)) {
1917 DEBUG(1,("ads_clear_service_principal_names: Error: Updating Service Principals for machine %s in LDAP\n",
1918 machine_name));
1919 ads_msgfree(ads, res);
1920 talloc_destroy(ctx);
1921 return ret;
1922 }
1923
1924 ads_msgfree(ads, res);
1925 talloc_destroy(ctx);
1926 return ret;
1927 }
1928
1929 /**
1930 * @brief Search for an element in a string array.
1931 *
1932 * @param[in] el_array The string array to search.
1933 *
1934 * @param[in] num_el The number of elements in the string array.
1935 *
1936 * @param[in] el The string to search.
1937 *
1938 * @return True if found, false if not.
1939 */
1940 bool ads_element_in_array(const char **el_array, size_t num_el, const char *el)
1941 {
1942 size_t i;
1943
1944 if (el_array == NULL || num_el == 0 || el == NULL) {
1945 return false;
1946 }
1947
1948 for (i = 0; i < num_el && el_array[i] != NULL; i++) {
1949 int cmp;
1950
1951 cmp = strcasecmp_m(el_array[i], el);
1952 if (cmp == 0) {
1953 return true;
1954 }
1955 }
1956
1957 return false;
1958 }
1959
1960 /**
1961 * @brief This gets the service principal names of an existing computer account.
1962 *
1963 * @param[in] mem_ctx The memory context to use to allocate the spn array.
1964 *
1965 * @param[in] ads The ADS context to use.
1966 *
1967 * @param[in] machine_name The NetBIOS name of the computer, which is used to
1968 * identify the computer account.
1969 *
1970 * @param[in] spn_array A pointer to store the array for SPNs.
1971 *
1972 * @param[in] num_spns The number of principals stored in the array.
1973 *
1974 * @return 0 on success, or a ADS error if a failure occured.
1975 */
1976 ADS_STATUS ads_get_service_principal_names(TALLOC_CTX *mem_ctx,
1977 ADS_STRUCT *ads,
1978 const char *machine_name,
1979 char ***spn_array,
1980 size_t *num_spns)
1981 {
1982 ADS_STATUS status;
1983 LDAPMessage *res = NULL;
1984 char *dn;
1985 int count;
1986
1987 status = ads_find_machine_acct(ads,
1988 &res,
1989 machine_name);
1990 if (!ADS_ERR_OK(status)) {
1991 DEBUG(1,("Host Account for %s not found... skipping operation.\n",
1992 machine_name));
1993 return status;
1994 }
1995
1996 count = ads_count_replies(ads, res);
1997 if (count != 1) {
1998 status = ADS_ERROR(LDAP_NO_SUCH_OBJECT);
1999 goto done;
2000 }
2001
2002 dn = ads_get_dn(ads, mem_ctx, res);
2003 if (dn == NULL) {
2004 status = ADS_ERROR_LDAP(LDAP_NO_MEMORY);
2005 goto done;
2006 }
2007
2008 *spn_array = ads_pull_strings(ads,
2009 mem_ctx,
2010 res,
2011 "servicePrincipalName",
2012 num_spns);
2013
2014 done:
2015 ads_msgfree(ads, res);
2016
2017 return status;
2018 }
2019
2020 /**
2021 * This adds a service principal name to an existing computer account
2022 * (found by hostname) in AD.
2023 * @param ads An initialized ADS_STRUCT
2024 * @param machine_name the NetBIOS name of the computer, which is used to identify the computer account.
2025 * @param my_fqdn The fully qualified DNS name of the machine
2026 * @param spn A string of the service principal to add, i.e. 'host'
2027 * @return 0 upon sucess, or non-zero if a failure occurs
2028 **/
2029
2030 ADS_STATUS ads_add_service_principal_name(ADS_STRUCT *ads, const char *machine_name,
2031 const char *my_fqdn, const char *spn)
2032 {
2033 ADS_STATUS ret;
2034 TALLOC_CTX *ctx;
2035 LDAPMessage *res = NULL;
2036 char *psp1, *psp2;
2037 ADS_MODLIST mods;
2038 char *dn_string = NULL;
2039 const char *servicePrincipalName[3] = {NULL, NULL, NULL};
2040
2041 ret = ads_find_machine_acct(ads, &res, machine_name);
2042 if (!ADS_ERR_OK(ret) || ads_count_replies(ads, res) != 1) {
2043 DEBUG(1,("ads_add_service_principal_name: WARNING: Host Account for %s not found... skipping operation.\n",
2044 machine_name));
2045 DEBUG(1,("ads_add_service_principal_name: WARNING: Service Principal '%s/%s@%s' has NOT been added.\n",
2046 spn, machine_name, ads->config.realm));
2047 ads_msgfree(ads, res);
2048 return ADS_ERROR(LDAP_NO_SUCH_OBJECT);
2049 }
2050
2051 DEBUG(1,("ads_add_service_principal_name: Host account for %s found\n", machine_name));
2052 if (!(ctx = talloc_init("ads_add_service_principal_name"))) {
2053 ads_msgfree(ads, res);
2054 return ADS_ERROR(LDAP_NO_MEMORY);
2055 }
2056
2057 /* add short name spn */
2058
2059 if ( (psp1 = talloc_asprintf(ctx, "%s/%s", spn, machine_name)) == NULL ) {
2060 talloc_destroy(ctx);
2061 ads_msgfree(ads, res);
2062 return ADS_ERROR(LDAP_NO_MEMORY);
2063 }
2064 if (!strlower_m(&psp1[strlen(spn) + 1])) {
2065 ret = ADS_ERROR(LDAP_NO_MEMORY);
2066 goto out;
2067 }
2068 servicePrincipalName[0] = psp1;
2069
2070 DEBUG(5,("ads_add_service_principal_name: INFO: Adding %s to host %s\n",
2071 psp1, machine_name));
2072
2073
2074 /* add fully qualified spn */
2075
2076 if ( (psp2 = talloc_asprintf(ctx, "%s/%s", spn, my_fqdn)) == NULL ) {
2077 ret = ADS_ERROR(LDAP_NO_MEMORY);
2078 goto out;
2079 }
2080 if (!strlower_m(&psp2[strlen(spn) + 1])) {
2081 ret = ADS_ERROR(LDAP_NO_MEMORY);
2082 goto out;
2083 }
2084 servicePrincipalName[1] = psp2;
2085
2086 DEBUG(5,("ads_add_service_principal_name: INFO: Adding %s to host %s\n",
2087 psp2, machine_name));
2088
2089 if ( (mods = ads_init_mods(ctx)) == NULL ) {
2090 ret = ADS_ERROR(LDAP_NO_MEMORY);
2091 goto out;
2092 }
2093
2094 ret = ads_add_strlist(ctx, &mods, "servicePrincipalName", servicePrincipalName);
2095 if (!ADS_ERR_OK(ret)) {
2096 DEBUG(1,("ads_add_service_principal_name: Error: Updating Service Principals in LDAP\n"));
2097 goto out;
2098 }
2099
2100 if ( (dn_string = ads_get_dn(ads, ctx, res)) == NULL ) {
2101 ret = ADS_ERROR(LDAP_NO_MEMORY);
2102 goto out;
2103 }
2104
2105 ret = ads_gen_mod(ads, dn_string, mods);
2106 if (!ADS_ERR_OK(ret)) {
2107 DEBUG(1,("ads_add_service_principal_name: Error: Updating Service Principals in LDAP\n"));
2108 goto out;
2109 }
2110
2111 out:
2112 TALLOC_FREE( ctx );
2113 ads_msgfree(ads, res);
2114 return ret;
2115 }
2116
2117 /**
2118 * adds a machine account to the ADS server
2119 * @param ads An intialized ADS_STRUCT
2120 * @param machine_name - the NetBIOS machine name of this account.
2121 * @param account_type A number indicating the type of account to create
2122 * @param org_unit The LDAP path in which to place this account
2123 * @return 0 upon success, or non-zero otherwise
2124 **/
2125
2126 ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads, const char *machine_name,
2127 const char *org_unit)
2128 {
2129 ADS_STATUS ret;
2130 char *samAccountName, *controlstr;
2131 TALLOC_CTX *ctx;
2132 ADS_MODLIST mods;
2133 char *machine_escaped = NULL;
2134 char *new_dn;
2135 const char *objectClass[] = {"top", "person", "organizationalPerson",
2136 "user", "computer", NULL};
2137 LDAPMessage *res = NULL;
2138 uint32 acct_control = ( UF_WORKSTATION_TRUST_ACCOUNT |\
2139 UF_DONT_EXPIRE_PASSWD |\
2140 UF_ACCOUNTDISABLE );
2141
2142 if (!(ctx = talloc_init("ads_add_machine_acct")))
2143 return ADS_ERROR(LDAP_NO_MEMORY);
2144
2145 ret = ADS_ERROR(LDAP_NO_MEMORY);
2146
2147 machine_escaped = escape_rdn_val_string_alloc(machine_name);
2148 if (!machine_escaped) {
2149 goto done;
2150 }
2151
2152 new_dn = talloc_asprintf(ctx, "cn=%s,%s", machine_escaped, org_unit);
2153 samAccountName = talloc_asprintf(ctx, "%s$", machine_name);
2154
2155 if ( !new_dn || !samAccountName ) {
2156 goto done;
2157 }
2158
2159 #ifndef ENCTYPE_ARCFOUR_HMAC
2160 acct_control |= UF_USE_DES_KEY_ONLY;
2161 #endif
2162
2163 if (!(controlstr = talloc_asprintf(ctx, "%u", acct_control))) {
2164 goto done;
2165 }
2166
2167 if (!(mods = ads_init_mods(ctx))) {
2168 goto done;
2169 }
2170
2171 ads_mod_str(ctx, &mods, "cn", machine_name);
2172 ads_mod_str(ctx, &mods, "sAMAccountName", samAccountName);
2173 ads_mod_strlist(ctx, &mods, "objectClass", objectClass);
2174 ads_mod_str(ctx, &mods, "userAccountControl", controlstr);
2175
2176 ret = ads_gen_add(ads, new_dn, mods);
2177
2178 done:
2179 SAFE_FREE(machine_escaped);
2180 ads_msgfree(ads, res);
2181 talloc_destroy(ctx);
2182
2183 return ret;
2184 }
2185
2186 /**
2187 * move a machine account to another OU on the ADS server
2188 * @param ads - An intialized ADS_STRUCT
2189 * @param machine_name - the NetBIOS machine name of this account.
2190 * @param org_unit - The LDAP path in which to place this account
2191 * @param moved - whether we moved the machine account (optional)
2192 * @return 0 upon success, or non-zero otherwise
2193 **/
2194
2195 ADS_STATUS ads_move_machine_acct(ADS_STRUCT *ads, const char *machine_name,
2196 const char *org_unit, bool *moved)
2197 {
2198 ADS_STATUS rc;
2199 int ldap_status;
2200 LDAPMessage *res = NULL;
2201 char *filter = NULL;
2202 char *computer_dn = NULL;
2203 char *parent_dn;
2204 char *computer_rdn = NULL;
2205 bool need_move = False;
2206
2207 if (asprintf(&filter, "(samAccountName=%s$)", machine_name) == -1) {
2208 rc = ADS_ERROR(LDAP_NO_MEMORY);
2209 goto done;
2210 }
2211
2212 /* Find pre-existing machine */
2213 rc = ads_search(ads, &res, filter, NULL);
2214 if (!ADS_ERR_OK(rc)) {
2215 goto done;
2216 }
2217
2218 computer_dn = ads_get_dn(ads, talloc_tos(), res);
2219 if (!computer_dn) {
2220 rc = ADS_ERROR(LDAP_NO_MEMORY);
2221 goto done;
2222 }
2223
2224 parent_dn = ads_parent_dn(computer_dn);
2225 if (strequal(parent_dn, org_unit)) {
2226 goto done;
2227 }
2228
2229 need_move = True;
2230
2231 if (asprintf(&computer_rdn, "CN=%s", machine_name) == -1) {
2232 rc = ADS_ERROR(LDAP_NO_MEMORY);
2233 goto done;
2234 }
2235
2236 ldap_status = ldap_rename_s(ads->ldap.ld, computer_dn, computer_rdn,
2237 org_unit, 1, NULL, NULL);
2238 rc = ADS_ERROR(ldap_status);
2239
2240 done:
2241 ads_msgfree(ads, res);
2242 SAFE_FREE(filter);
2243 TALLOC_FREE(computer_dn);
2244 SAFE_FREE(computer_rdn);
2245
2246 if (!ADS_ERR_OK(rc)) {
2247 need_move = False;
2248 }
2249
2250 if (moved) {
2251 *moved = need_move;
2252 }
2253
2254 return rc;
2255 }
2256
2257 /*
2258 dump a binary result from ldap
2259 */
2260 static void dump_binary(ADS_STRUCT *ads, const char *field, struct berval **values)
2261 {
2262 int i, j;
2263 for (i=0; values[i]; i++) {
2264 printf("%s: ", field);
2265 for (j=0; j<values[i]->bv_len; j++) {
2266 printf("%02X", (unsigned char)values[i]->bv_val[j]);
2267 }
2268 printf("\n");
2269 }
2270 }
2271
2272 static void dump_guid(ADS_STRUCT *ads, const char *field, struct berval **values)
2273 {
2274 int i;
2275 for (i=0; values[i]; i++) {
2276 NTSTATUS status;
2277 DATA_BLOB in = data_blob_const(values[i]->bv_val, values[i]->bv_len);
2278 struct GUID guid;
2279
2280 status = GUID_from_ndr_blob(&in, &guid);
2281 if (NT_STATUS_IS_OK(status)) {
2282 printf("%s: %s\n", field, GUID_string(talloc_tos(), &guid));
2283 } else {
2284 printf("%s: INVALID GUID\n", field);
2285 }
2286 }
2287 }
2288
2289 /*
2290 dump a sid result from ldap
2291 */
2292 static void dump_sid(ADS_STRUCT *ads, const char *field, struct berval **values)
2293 {
2294 int i;
2295 for (i=0; values[i]; i++) {
2296 struct dom_sid sid;
2297 fstring tmp;
2298 if (!sid_parse(values[i]->bv_val, values[i]->bv_len, &sid)) {
2299 return;
2300 }
2301 printf("%s: %s\n", field, sid_to_fstring(tmp, &sid));
2302 }
2303 }
2304
2305 /*
2306 dump ntSecurityDescriptor
2307 */
2308 static void dump_sd(ADS_STRUCT *ads, const char *filed, struct berval **values)
2309 {
2310 TALLOC_CTX *frame = talloc_stackframe();
2311 struct security_descriptor *psd;
2312 NTSTATUS status;
2313
2314 status = unmarshall_sec_desc(talloc_tos(), (uint8 *)values[0]->bv_val,
2315 values[0]->bv_len, &psd);
2316 if (!NT_STATUS_IS_OK(status)) {
2317 DEBUG(0, ("unmarshall_sec_desc failed: %s\n",
2318 nt_errstr(status)));
2319 TALLOC_FREE(frame);
2320 return;
2321 }
2322
2323 if (psd) {
2324 ads_disp_sd(ads, talloc_tos(), psd);
2325 }
2326
2327 TALLOC_FREE(frame);
2328 }
2329
2330 /*
2331 dump a string result from ldap
2332 */
2333 static void dump_string(const char *field, char **values)
2334 {
2335 int i;
2336 for (i=0; values[i]; i++) {
2337 printf("%s: %s\n", field, values[i]);
2338 }
2339 }
2340
2341 /*
2342 dump a field from LDAP on stdout
2343 used for debugging
2344 */
2345
2346 static bool ads_dump_field(ADS_STRUCT *ads, char *field, void **values, void *data_area)
2347 {
2348 const struct {
2349 const char *name;
2350 bool string;
2351 void (*handler)(ADS_STRUCT *, const char *, struct berval **);
2352 } handlers[] = {
2353 {"objectGUID", False, dump_guid},
2354 {"netbootGUID", False, dump_guid},
2355 {"nTSecurityDescriptor", False, dump_sd},
2356 {"dnsRecord", False, dump_binary},
2357 {"objectSid", False, dump_sid},
2358 {"tokenGroups", False, dump_sid},
2359 {"tokenGroupsNoGCAcceptable", False, dump_sid},
2360 {"tokengroupsGlobalandUniversal", False, dump_sid},
2361 {"mS-DS-CreatorSID", False, dump_sid},
2362 {"msExchMailboxGuid", False, dump_guid},
2363 {NULL, True, NULL}
2364 };
2365 int i;
2366
2367 if (!field) { /* must be end of an entry */
2368 printf("\n");
2369 return False;
2370 }
2371
2372 for (i=0; handlers[i].name; i++) {
2373 if (strcasecmp_m(handlers[i].name, field) == 0) {
2374 if (!values) /* first time, indicate string or not */
2375 return handlers[i].string;
2376 handlers[i].handler(ads, field, (struct berval **) values);
2377 break;
2378 }
2379 }
2380 if (!handlers[i].name) {
2381 if (!values) /* first time, indicate string conversion */
2382 return True;
2383 dump_string(field, (char **)values);
2384 }
2385 return False;
2386 }
2387
2388 /**
2389 * Dump a result from LDAP on stdout
2390 * used for debugging
2391 * @param ads connection to ads server
2392 * @param res Results to dump
2393 **/
2394
2395 void ads_dump(ADS_STRUCT *ads, LDAPMessage *res)
2396 {
2397 ads_process_results(ads, res, ads_dump_field, NULL);
2398 }
2399
2400 /**
2401 * Walk through results, calling a function for each entry found.
2402 * The function receives a field name, a berval * array of values,
2403 * and a data area passed through from the start. The function is
2404 * called once with null for field and values at the end of each
2405 * entry.
2406 * @param ads connection to ads server
2407 * @param res Results to process
2408 * @param fn Function for processing each result
2409 * @param data_area user-defined area to pass to function
2410 **/
2411 void ads_process_results(ADS_STRUCT *ads, LDAPMessage *res,
2412 bool (*fn)(ADS_STRUCT *, char *, void **, void *),
2413 void *data_area)
2414 {
2415 LDAPMessage *msg;
2416 TALLOC_CTX *ctx;
2417 size_t converted_size;
2418
2419 if (!(ctx = talloc_init("ads_process_results")))
2420 return;
2421
2422 for (msg = ads_first_entry(ads, res); msg;
2423 msg = ads_next_entry(ads, msg)) {
2424 char *utf8_field;
2425 BerElement *b;
2426
2427 for (utf8_field=ldap_first_attribute(ads->ldap.ld,
2428 (LDAPMessage *)msg,&b);
2429 utf8_field;
2430 utf8_field=ldap_next_attribute(ads->ldap.ld,
2431 (LDAPMessage *)msg,b)) {
2432 struct berval **ber_vals;
2433 char **str_vals, **utf8_vals;
2434 char *field;
2435 bool string;
2436
2437 if (!pull_utf8_talloc(ctx, &field, utf8_field,
2438 &converted_size))
2439 {
2440 DEBUG(0,("ads_process_results: "
2441 "pull_utf8_talloc failed: %s",
2442 strerror(errno)));
2443 }
2444
2445 string = fn(ads, field, NULL, data_area);
2446
2447 if (string) {
2448 utf8_vals = ldap_get_values(ads->ldap.ld,
2449 (LDAPMessage *)msg, field);
2450 str_vals = ads_pull_strvals(ctx,
2451 (const char **) utf8_vals);
2452 fn(ads, field, (void **) str_vals, data_area);
2453 ldap_value_free(utf8_vals);
2454 } else {
2455 ber_vals = ldap_get_values_len(ads->ldap.ld,
2456 (LDAPMessage *)msg, field);
2457 fn(ads, field, (void **) ber_vals, data_area);
2458
2459 ldap_value_free_len(ber_vals);
2460 }
2461 ldap_memfree(utf8_field);
2462 }
2463 ber_free(b, 0);
2464 talloc_free_children(ctx);
2465 fn(ads, NULL, NULL, data_area); /* completed an entry */
2466
2467 }
2468 talloc_destroy(ctx);
2469 }
2470
2471 /**
2472 * count how many replies are in a LDAPMessage
2473 * @param ads connection to ads server
2474 * @param res Results to count
2475 * @return number of replies
2476 **/
2477 int ads_count_replies(ADS_STRUCT *ads, void *res)
2478 {
2479 return ldap_count_entries(ads->ldap.ld, (LDAPMessage *)res);
2480 }
2481
2482 /**
2483 * pull the first entry from a ADS result
2484 * @param ads connection to ads server
2485 * @param res Results of search
2486 * @return first entry from result
2487 **/
2488 LDAPMessage *ads_first_entry(ADS_STRUCT *ads, LDAPMessage *res)
2489 {
2490 return ldap_first_entry(ads->ldap.ld, res);
2491 }
2492
2493 /**
2494 * pull the next entry from a ADS result
2495 * @param ads connection to ads server
2496 * @param res Results of search
2497 * @return next entry from result
2498 **/
2499 LDAPMessage *ads_next_entry(ADS_STRUCT *ads, LDAPMessage *res)
2500 {
2501 return ldap_next_entry(ads->ldap.ld, res);
2502 }
2503
2504 /**
2505 * pull the first message from a ADS result
2506 * @param ads connection to ads server
2507 * @param res Results of search
2508 * @return first message from result
2509 **/
2510 LDAPMessage *ads_first_message(ADS_STRUCT *ads, LDAPMessage *res)
2511 {
2512 return ldap_first_message(ads->ldap.ld, res);
2513 }
2514
2515 /**
2516 * pull the next message from a ADS result
2517 * @param ads connection to ads server
2518 * @param res Results of search
2519 * @return next message from result
2520 **/
2521 LDAPMessage *ads_next_message(ADS_STRUCT *ads, LDAPMessage *res)
2522 {
2523 return ldap_next_message(ads->ldap.ld, res);
2524 }
2525
2526 /**
2527 * pull a single string from a ADS result
2528 * @param ads connection to ads server
2529 * @param mem_ctx TALLOC_CTX to use for allocating result string
2530 * @param msg Results of search
2531 * @param field Attribute to retrieve
2532 * @return Result string in talloc context
2533 **/
2534 char *ads_pull_string(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, LDAPMessage *msg,
2535 const char *field)
2536 {
2537 char **values;
2538 char *ret = NULL;
2539 char *ux_string;
2540 size_t converted_size;
2541
2542 values = ldap_get_values(ads->ldap.ld, msg, field);
2543 if (!values)
2544 return NULL;
2545
2546 if (values[0] && pull_utf8_talloc(mem_ctx, &ux_string, values[0],
2547 &converted_size))
2548 {
2549 ret = ux_string;
2550 }
2551 ldap_value_free(values);
2552 return ret;
2553 }
2554
2555 /**
2556 * pull an array of strings from a ADS result
2557 * @param ads connection to ads server
2558 * @param mem_ctx TALLOC_CTX to use for allocating result string
2559 * @param msg Results of search
2560 * @param field Attribute to retrieve
2561 * @return Result strings in talloc context
2562 **/
2563 char **ads_pull_strings(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx,
2564 LDAPMessage *msg, const char *field,
2565 size_t *num_values)
2566 {
2567 char **values;
2568 char **ret = NULL;
2569 int i;
2570 size_t converted_size;
2571
2572 values = ldap_get_values(ads->ldap.ld, msg, field);
2573 if (!values)
2574 return NULL;
2575
2576 *num_values = ldap_count_values(values);
2577
2578 ret = talloc_array(mem_ctx, char *, *num_values + 1);
2579 if (!ret) {
2580 ldap_value_free(values);
2581 return NULL;
2582 }
2583
2584 for (i=0;i<*num_values;i++) {
2585 if (!pull_utf8_talloc(mem_ctx, &ret[i], values[i],
2586 &converted_size))
2587 {
2588 ldap_value_free(values);
2589 return NULL;
2590 }
2591 }
2592 ret[i] = NULL;
2593
2594 ldap_value_free(values);
2595 return ret;
2596 }
2597
2598 /**
2599 * pull an array of strings from a ADS result
2600 * (handle large multivalue attributes with range retrieval)
2601 * @param ads connection to ads server
2602 * @param mem_ctx TALLOC_CTX to use for allocating result string
2603 * @param msg Results of search
2604 * @param field Attribute to retrieve
2605 * @param current_strings strings returned by a previous call to this function
2606 * @param next_attribute The next query should ask for this attribute
2607 * @param num_values How many values did we get this time?
2608 * @param more_values Are there more values to get?
2609 * @return Result strings in talloc context
2610 **/
2611 char **ads_pull_strings_range(ADS_STRUCT *ads,
2612 TALLOC_CTX *mem_ctx,
2613 LDAPMessage *msg, const char *field,
2614 char **current_strings,
2615 const char **next_attribute,
2616 size_t *num_strings,
2617 bool *more_strings)
2618 {
2619 char *attr;
2620 char *expected_range_attrib, *range_attr;
2621 BerElement *ptr = NULL;
2622 char **strings;
2623 char **new_strings;
2624 size_t num_new_strings;
2625 unsigned long int range_start;
2626 unsigned long int range_end;
2627
2628 /* we might have been given the whole lot anyway */
2629 if ((strings = ads_pull_strings(ads, mem_ctx, msg, field, num_strings))) {
2630 *more_strings = False;
2631 return strings;
2632 }
2633
2634 expected_range_attrib = talloc_asprintf(mem_ctx, "%s;Range=", field);
2635
2636 /* look for Range result */
2637 for (attr = ldap_first_attribute(ads->ldap.ld, (LDAPMessage *)msg, &ptr);
2638 attr;
2639 attr = ldap_next_attribute(ads->ldap.ld, (LDAPMessage *)msg, ptr)) {
2640 /* we ignore the fact that this is utf8, as all attributes are ascii... */
2641 if (strnequal(attr, expected_range_attrib, strlen(expected_range_attrib))) {
2642 range_attr = attr;
2643 break;
2644 }
2645 ldap_memfree(attr);
2646 }
2647 if (!attr) {
2648 ber_free(ptr, 0);
2649 /* nothing here - this field is just empty */
2650 *more_strings = False;
2651 return NULL;
2652 }
2653
2654 if (sscanf(&range_attr[strlen(expected_range_attrib)], "%lu-%lu",
2655 &range_start, &range_end) == 2) {
2656 *more_strings = True;
2657 } else {
2658 if (sscanf(&range_attr[strlen(expected_range_attrib)], "%lu-*",
2659 &range_start) == 1) {
2660 *more_strings = False;
2661 } else {
2662 DEBUG(1, ("ads_pull_strings_range: Cannot parse Range attriubte (%s)\n",
2663 range_attr));
2664 ldap_memfree(range_attr);
2665 *more_strings = False;
2666 return NULL;
2667 }
2668 }
2669
2670 if ((*num_strings) != range_start) {
2671 DEBUG(1, ("ads_pull_strings_range: Range attribute (%s) doesn't start at %u, but at %lu"
2672 " - aborting range retreival\n",
2673 range_attr, (unsigned int)(*num_strings) + 1, range_start));
2674 ldap_memfree(range_attr);
2675 *more_strings = False;
2676 return NULL;
2677 }
2678
2679 new_strings = ads_pull_strings(ads, mem_ctx, msg, range_attr, &num_new_strings);
2680
2681 if (*more_strings && ((*num_strings + num_new_strings) != (range_end + 1))) {
2682 DEBUG(1, ("ads_pull_strings_range: Range attribute (%s) tells us we have %lu "
2683 "strings in this bunch, but we only got %lu - aborting range retreival\n",
2684 range_attr, (unsigned long int)range_end - range_start + 1,
2685 (unsigned long int)num_new_strings));
2686 ldap_memfree(range_attr);
2687 *more_strings = False;
2688 return NULL;
2689 }
2690
2691 strings = talloc_realloc(mem_ctx, current_strings, char *,
2692 *num_strings + num_new_strings);
2693
2694 if (strings == NULL) {
2695 ldap_memfree(range_attr);
2696 *more_strings = False;
2697 return NULL;
2698 }
2699
2700 if (new_strings && num_new_strings) {
2701 memcpy(&strings[*num_strings], new_strings,
2702 sizeof(*new_strings) * num_new_strings);
2703 }
2704
2705 (*num_strings) += num_new_strings;
2706
2707 if (*more_strings) {
2708 *next_attribute = talloc_asprintf(mem_ctx,
2709 "%s;range=%d-*",
2710 field,
2711 (int)*num_strings);
2712
2713 if (!*next_attribute) {
2714 DEBUG(1, ("talloc_asprintf for next attribute failed!\n"));
2715 ldap_memfree(range_attr);
2716 *more_strings = False;
2717 return NULL;
2718 }
2719 }
2720
2721 ldap_memfree(range_attr);
2722
2723 return strings;
2724 }
2725
2726 /**
2727 * pull a single uint32 from a ADS result
2728 * @param ads connection to ads server
2729 * @param msg Results of search
2730 * @param field Attribute to retrieve
2731 * @param v Pointer to int to store result
2732 * @return boolean inidicating success
2733 */
2734 bool ads_pull_uint32(ADS_STRUCT *ads, LDAPMessage *msg, const char *field,
2735 uint32 *v)
2736 {
2737 char **values;
2738
2739 values = ldap_get_values(ads->ldap.ld, msg, field);
2740 if (!values)
2741 return False;
2742 if (!values[0]) {
2743 ldap_value_free(values);
2744 return False;
2745 }
2746
2747 *v = atoi(values[0]);
2748 ldap_value_free(values);
2749 return True;
2750 }
2751
2752 /**
2753 * pull a single objectGUID from an ADS result
2754 * @param ads connection to ADS server
2755 * @param msg results of search
2756 * @param guid 37-byte area to receive text guid
2757 * @return boolean indicating success
2758 **/
2759 bool ads_pull_guid(ADS_STRUCT *ads, LDAPMessage *msg, struct GUID *guid)
2760 {
2761 DATA_BLOB blob;
2762 NTSTATUS status;
2763
2764 if (!smbldap_talloc_single_blob(talloc_tos(), ads->ldap.ld, msg, "objectGUID",
2765 &blob)) {
2766 return false;
2767 }
2768
2769 status = GUID_from_ndr_blob(&blob, guid);
2770 talloc_free(blob.data);
2771 return NT_STATUS_IS_OK(status);
2772 }
2773
2774
2775 /**
2776 * pull a single struct dom_sid from a ADS result
2777 * @param ads connection to ads server
2778 * @param msg Results of search
2779 * @param field Attribute to retrieve
2780 * @param sid Pointer to sid to store result
2781 * @return boolean inidicating success
2782 */
2783 bool ads_pull_sid(ADS_STRUCT *ads, LDAPMessage *msg, const char *field,
2784 struct dom_sid *sid)
2785 {
2786 return smbldap_pull_sid(ads->ldap.ld, msg, field, sid);
2787 }
2788
2789 /**
2790 * pull an array of struct dom_sids from a ADS result
2791 * @param ads connection to ads server
2792 * @param mem_ctx TALLOC_CTX for allocating sid array
2793 * @param msg Results of search
2794 * @param field Attribute to retrieve
2795 * @param sids pointer to sid array to allocate
2796 * @return the count of SIDs pulled
2797 **/
2798 int ads_pull_sids(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx,
2799 LDAPMessage *msg, const char *field, struct dom_sid **sids)
2800 {
2801 struct berval **values;
2802 bool ret;
2803 int count, i;
2804
2805 values = ldap_get_values_len(ads->ldap.ld, msg, field);
2806
2807 if (!values)
2808 return 0;
2809
2810 for (i=0; values[i]; i++)
2811 /* nop */ ;
2812
2813 if (i) {
2814 (*sids) = talloc_array(mem_ctx, struct dom_sid, i);
2815 if (!(*sids)) {
2816 ldap_value_free_len(values);
2817 return 0;
2818 }
2819 } else {
2820 (*sids) = NULL;
2821 }
2822
2823 count = 0;
2824 for (i=0; values[i]; i++) {
2825 ret = sid_parse(values[i]->bv_val, values[i]->bv_len, &(*sids)[count]);
2826 if (ret) {
2827 DEBUG(10, ("pulling SID: %s\n",
2828 sid_string_dbg(&(*sids)[count])));
2829 count++;
2830 }
2831 }
2832
2833 ldap_value_free_len(values);
2834 return count;
2835 }
2836
2837 /**
2838 * pull a struct security_descriptor from a ADS result
2839 * @param ads connection to ads server
2840 * @param mem_ctx TALLOC_CTX for allocating sid array
2841 * @param msg Results of search
2842 * @param field Attribute to retrieve
2843 * @param sd Pointer to *struct security_descriptor to store result (talloc()ed)
2844 * @return boolean inidicating success
2845 */
2846 bool ads_pull_sd(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx,
2847 LDAPMessage *msg, const char *field,
2848 struct security_descriptor **sd)
2849 {
2850 struct berval **values;
2851 bool ret = true;
2852
2853 values = ldap_get_values_len(ads->ldap.ld, msg, field);
2854
2855 if (!values) return false;
2856
2857 if (values[0]) {
2858 NTSTATUS status;
2859 status = unmarshall_sec_desc(mem_ctx,
2860 (uint8 *)values[0]->bv_val,
2861 values[0]->bv_len, sd);
2862 if (!NT_STATUS_IS_OK(status)) {
2863 DEBUG(0, ("unmarshall_sec_desc failed: %s\n",
2864 nt_errstr(status)));
2865 ret = false;
2866 }
2867 }
2868
2869 ldap_value_free_len(values);
2870 return ret;
2871 }
2872
2873 /*
2874 * in order to support usernames longer than 21 characters we need to
2875 * use both the sAMAccountName and the userPrincipalName attributes
2876 * It seems that not all users have the userPrincipalName attribute set
2877 *
2878 * @param ads connection to ads server
2879 * @param mem_ctx TALLOC_CTX for allocating sid array
2880 * @param msg Results of search
2881 * @return the username
2882 */
2883 char *ads_pull_username(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx,
2884 LDAPMessage *msg)
2885 {
2886 #if 0 /* JERRY */
2887 char *ret, *p;
2888
2889 /* lookup_name() only works on the sAMAccountName to
2890 returning the username portion of userPrincipalName
2891 breaks winbindd_getpwnam() */
2892
2893 ret = ads_pull_string(ads, mem_ctx, msg, "userPrincipalName");
2894 if (ret && (p = strchr_m(ret, '@'))) {
2895 *p = 0;
2896 return ret;
2897 }
2898 #endif
2899 return ads_pull_string(ads, mem_ctx, msg, "sAMAccountName");
2900 }
2901
2902
2903 /**
2904 * find the update serial number - this is the core of the ldap cache
2905 * @param ads connection to ads server
2906 * @param ads connection to ADS server
2907 * @param usn Pointer to retrieved update serial number
2908 * @return status of search
2909 **/
2910 ADS_STATUS ads_USN(ADS_STRUCT *ads, uint32 *usn)
2911 {
2912 const char *attrs[] = {"highestCommittedUSN", NULL};
2913 ADS_STATUS status;
2914 LDAPMessage *res;
2915
2916 status = ads_do_search_retry(ads, "", LDAP_SCOPE_BASE, "(objectclass=*)", attrs, &res);
2917 if (!ADS_ERR_OK(status))
2918 return status;
2919
2920 if (ads_count_replies(ads, res) != 1) {
2921 ads_msgfree(ads, res);
2922 return ADS_ERROR(LDAP_NO_RESULTS_RETURNED);
2923 }
2924
2925 if (!ads_pull_uint32(ads, res, "highestCommittedUSN", usn)) {
2926 ads_msgfree(ads, res);
2927 return ADS_ERROR(LDAP_NO_SUCH_ATTRIBUTE);
2928 }
2929
2930 ads_msgfree(ads, res);
2931 return ADS_SUCCESS;
2932 }
2933
2934 /* parse a ADS timestring - typical string is
2935 '20020917091222.0Z0' which means 09:12.22 17th September
2936 2002, timezone 0 */
2937 static time_t ads_parse_time(const char *str)
2938 {
2939 struct tm tm;
2940
2941 ZERO_STRUCT(tm);
2942
2943 if (sscanf(str, "%4d%2d%2d%2d%2d%2d",
2944 &tm.tm_year, &tm.tm_mon, &tm.tm_mday,
2945 &tm.tm_hour, &tm.tm_min, &tm.tm_sec) != 6) {
2946 return 0;
2947 }
2948 tm.tm_year -= 1900;
2949 tm.tm_mon -= 1;
2950
2951 return timegm(&tm);
2952 }
2953
2954 /********************************************************************
2955 ********************************************************************/
2956
2957 ADS_STATUS ads_current_time(ADS_STRUCT *ads)
2958 {
2959 const char *attrs[] = {"currentTime", NULL};
2960 ADS_STATUS status;
2961 LDAPMessage *res;
2962 char *timestr;
2963 TALLOC_CTX *ctx;
2964 ADS_STRUCT *ads_s = ads;
2965
2966 if (!(ctx = talloc_init("ads_current_time"))) {
2967 return ADS_ERROR(LDAP_NO_MEMORY);
2968 }
2969
2970 /* establish a new ldap tcp session if necessary */
2971
2972 if ( !ads->ldap.ld ) {
2973 if ( (ads_s = ads_init( ads->server.realm, ads->server.workgroup,
2974 ads->server.ldap_server )) == NULL )
2975 {
2976 goto done;
2977 }
2978 ads_s->auth.flags = ADS_AUTH_ANON_BIND;
2979 status = ads_connect( ads_s );
2980 if ( !ADS_ERR_OK(status))
2981 goto done;
2982 }
2983
2984 status = ads_do_search(ads_s, "", LDAP_SCOPE_BASE, "(objectclass=*)", attrs, &res);
2985 if (!ADS_ERR_OK(status)) {
2986 goto done;
2987 }
2988
2989 timestr = ads_pull_string(ads_s, ctx, res, "currentTime");
2990 if (!timestr) {
2991 ads_msgfree(ads_s, res);
2992 status = ADS_ERROR(LDAP_NO_RESULTS_RETURNED);
2993 goto done;
2994 }
2995
2996 /* but save the time and offset in the original ADS_STRUCT */
2997
2998 ads->config.current_time = ads_parse_time(timestr);
2999
3000 if (ads->config.current_time != 0) {
3001 ads->auth.time_offset = ads->config.current_time - time(NULL);
3002 DEBUG(4,("KDC time offset is %d seconds\n", ads->auth.time_offset));
3003 }
3004
3005 ads_msgfree(ads, res);
3006
3007 status = ADS_SUCCESS;
3008
3009 done:
3010 /* free any temporary ads connections */
3011 if ( ads_s != ads ) {
3012 ads_destroy( &ads_s );
3013 }
3014 talloc_destroy(ctx);
3015
3016 return status;
3017 }
3018
3019 /********************************************************************
3020 ********************************************************************/
3021
3022 ADS_STATUS ads_domain_func_level(ADS_STRUCT *ads, uint32 *val)
3023 {
3024 const char *attrs[] = {"domainFunctionality", NULL};
3025 ADS_STATUS status;
3026 LDAPMessage *res;
3027 ADS_STRUCT *ads_s = ads;
3028
3029 *val = DS_DOMAIN_FUNCTION_2000;
3030
3031 /* establish a new ldap tcp session if necessary */
3032
3033 if ( !ads->ldap.ld ) {
3034 if ( (ads_s = ads_init( ads->server.realm, ads->server.workgroup,
3035 ads->server.ldap_server )) == NULL )
3036 {
3037 status = ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
3038 goto done;
3039 }
3040 ads_s->auth.flags = ADS_AUTH_ANON_BIND;
3041 status = ads_connect( ads_s );
3042 if ( !ADS_ERR_OK(status))
3043 goto done;
3044 }
3045
3046 /* If the attribute does not exist assume it is a Windows 2000
3047 functional domain */
3048
3049 status = ads_do_search(ads_s, "", LDAP_SCOPE_BASE, "(objectclass=*)", attrs, &res);
3050 if (!ADS_ERR_OK(status)) {
3051 if ( status.err.rc == LDAP_NO_SUCH_ATTRIBUTE ) {
3052 status = ADS_SUCCESS;
3053 }
3054 goto done;
3055 }
3056
3057 if ( !ads_pull_uint32(ads_s, res, "domainFunctionality", val) ) {
3058 DEBUG(5,("ads_domain_func_level: Failed to pull the domainFunctionality attribute.\n"));
3059 }
3060 DEBUG(3,("ads_domain_func_level: %d\n", *val));
3061
3062
3063 ads_msgfree(ads, res);
3064
3065 done:
3066 /* free any temporary ads connections */
3067 if ( ads_s != ads ) {
3068 ads_destroy( &ads_s );
3069 }
3070
3071 return status;
3072 }
3073
3074 /**
3075 * find the domain sid for our domain
3076 * @param ads connection to ads server
3077 * @param sid Pointer to domain sid
3078 * @return status of search
3079 **/
3080 ADS_STATUS ads_domain_sid(ADS_STRUCT *ads, struct dom_sid *sid)
3081 {
3082 const char *attrs[] = {"objectSid", NULL};
3083 LDAPMessage *res;
3084 ADS_STATUS rc;
3085
3086 rc = ads_do_search_retry(ads, ads->config.bind_path, LDAP_SCOPE_BASE, "(objectclass=*)",
3087 attrs, &res);
3088 if (!ADS_ERR_OK(rc)) return rc;
3089 if (!ads_pull_sid(ads, res, "objectSid", sid)) {
3090 ads_msgfree(ads, res);
3091 return ADS_ERROR_SYSTEM(ENOENT);
3092 }
3093 ads_msgfree(ads, res);
3094
3095 return ADS_SUCCESS;
3096 }
3097
3098 /**
3099 * find our site name
3100 * @param ads connection to ads server
3101 * @param mem_ctx Pointer to talloc context
3102 * @param site_name Pointer to the sitename
3103 * @return status of search
3104 **/
3105 ADS_STATUS ads_site_dn(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, const char **site_name)
3106 {
3107 ADS_STATUS status;
3108 LDAPMessage *res;
3109 const char *dn, *service_name;
3110 const char *attrs[] = { "dsServiceName", NULL };
3111
3112 status = ads_do_search(ads, "", LDAP_SCOPE_BASE, "(objectclass=*)", attrs, &res);
3113 if (!ADS_ERR_OK(status)) {
3114 return status;
3115 }
3116
3117 service_name = ads_pull_string(ads, mem_ctx, res, "dsServiceName");
3118 if (service_name == NULL) {
3119 ads_msgfree(ads, res);
3120 return ADS_ERROR(LDAP_NO_RESULTS_RETURNED);
3121 }
3122
3123 ads_msgfree(ads, res);
3124
3125 /* go up three levels */
3126 dn = ads_parent_dn(ads_parent_dn(ads_parent_dn(service_name)));
3127 if (dn == NULL) {
3128 return ADS_ERROR(LDAP_NO_MEMORY);
3129 }
3130
3131 *site_name = talloc_strdup(mem_ctx, dn);
3132 if (*site_name == NULL) {
3133 return ADS_ERROR(LDAP_NO_MEMORY);
3134 }
3135
3136 return status;
3137 /*
3138 dsServiceName: CN=NTDS Settings,CN=W2K3DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ber,DC=suse,DC=de
3139 */
3140 }
3141
3142 /**
3143 * find the site dn where a machine resides
3144 * @param ads connection to ads server
3145 * @param mem_ctx Pointer to talloc context
3146 * @param computer_name name of the machine
3147 * @param site_name Pointer to the sitename
3148 * @return status of search
3149 **/
3150 ADS_STATUS ads_site_dn_for_machine(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, const char *computer_name, const char **site_dn)
3151 {
3152 ADS_STATUS status;
3153 LDAPMessage *res;
3154 const char *parent, *filter;
3155 char *config_context = NULL;
3156 char *dn;
3157
3158 /* shortcut a query */
3159 if (strequal(computer_name, ads->config.ldap_server_name)) {
3160 return ads_site_dn(ads, mem_ctx, site_dn);
3161 }
3162
3163 status = ads_config_path(ads, mem_ctx, &config_context);
3164 if (!ADS_ERR_OK(status)) {
3165 return status;
3166 }
3167
3168 filter = talloc_asprintf(mem_ctx, "(cn=%s)", computer_name);
3169 if (filter == NULL) {
3170 return ADS_ERROR(LDAP_NO_MEMORY);
3171 }
3172
3173 status = ads_do_search(ads, config_context, LDAP_SCOPE_SUBTREE,
3174 filter, NULL, &res);
3175 if (!ADS_ERR_OK(status)) {
3176 return status;
3177 }
3178
3179 if (ads_count_replies(ads, res) != 1) {
3180 ads_msgfree(ads, res);
3181 return ADS_ERROR(LDAP_NO_SUCH_OBJECT);
3182 }
3183
3184 dn = ads_get_dn(ads, mem_ctx, res);
3185 if (dn == NULL) {
3186 ads_msgfree(ads, res);
3187 return ADS_ERROR(LDAP_NO_MEMORY);
3188 }
3189
3190 /* go up three levels */
3191 parent = ads_parent_dn(ads_parent_dn(ads_parent_dn(dn)));
3192 if (parent == NULL) {
3193 ads_msgfree(ads, res);
3194 TALLOC_FREE(dn);
3195 return ADS_ERROR(LDAP_NO_MEMORY);
3196 }
3197
3198 *site_dn = talloc_strdup(mem_ctx, parent);
3199 if (*site_dn == NULL) {
3200 ads_msgfree(ads, res);
3201 TALLOC_FREE(dn);
3202 return ADS_ERROR(LDAP_NO_MEMORY);
3203 }
3204
3205 TALLOC_FREE(dn);
3206 ads_msgfree(ads, res);
3207
3208 return status;
3209 }
3210
3211 /**
3212 * get the upn suffixes for a domain
3213 * @param ads connection to ads server
3214 * @param mem_ctx Pointer to talloc context
3215 * @param suffixes Pointer to an array of suffixes
3216 * @param num_suffixes Pointer to the number of suffixes
3217 * @return status of search
3218 **/
3219 ADS_STATUS ads_upn_suffixes(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, char ***suffixes, size_t *num_suffixes)
3220 {
3221 ADS_STATUS status;
3222 LDAPMessage *res;
3223 const char *base;
3224 char *config_context = NULL;
3225 const char *attrs[] = { "uPNSuffixes", NULL };
3226
3227 status = ads_config_path(ads, mem_ctx, &config_context);
3228 if (!ADS_ERR_OK(status)) {
3229 return status;
3230 }
3231
3232 base = talloc_asprintf(mem_ctx, "cn=Partitions,%s", config_context);
3233 if (base == NULL) {
3234 return ADS_ERROR(LDAP_NO_MEMORY);
3235 }
3236
3237 status = ads_search_dn(ads, &res, base, attrs);
3238 if (!ADS_ERR_OK(status)) {
3239 return status;
3240 }
3241
3242 if (ads_count_replies(ads, res) != 1) {
3243 ads_msgfree(ads, res);
3244 return ADS_ERROR(LDAP_NO_SUCH_OBJECT);
3245 }
3246
3247 (*suffixes) = ads_pull_strings(ads, mem_ctx, res, "uPNSuffixes", num_suffixes);
3248 if ((*suffixes) == NULL) {
3249 ads_msgfree(ads, res);
3250 return ADS_ERROR(LDAP_NO_MEMORY);
3251 }
3252
3253 ads_msgfree(ads, res);
3254
3255 return status;
3256 }
3257
3258 /**
3259 * get the joinable ous for a domain
3260 * @param ads connection to ads server
3261 * @param mem_ctx Pointer to talloc context
3262 * @param ous Pointer to an array of ous
3263 * @param num_ous Pointer to the number of ous
3264 * @return status of search
3265 **/
3266 ADS_STATUS ads_get_joinable_ous(ADS_STRUCT *ads,
3267 TALLOC_CTX *mem_ctx,
3268 char ***ous,
3269 size_t *num_ous)
3270 {
3271 ADS_STATUS status;
3272 LDAPMessage *res = NULL;
3273 LDAPMessage *msg = NULL;
3274 const char *attrs[] = { "dn", NULL };
3275 int count = 0;
3276
3277 status = ads_search(ads, &res,
3278 "(|(objectClass=domain)(objectclass=organizationalUnit))",
3279 attrs);
3280 if (!ADS_ERR_OK(status)) {
3281 return status;
3282 }
3283
3284 count = ads_count_replies(ads, res);
3285 if (count < 1) {
3286 ads_msgfree(ads, res);
3287 return ADS_ERROR(LDAP_NO_RESULTS_RETURNED);
3288 }
3289
3290 for (msg = ads_first_entry(ads, res); msg;
3291 msg = ads_next_entry(ads, msg)) {
3292
3293 char *dn = NULL;
3294
3295 dn = ads_get_dn(ads, talloc_tos(), msg);
3296 if (!dn) {
3297 ads_msgfree(ads, res);
3298 return ADS_ERROR(LDAP_NO_MEMORY);
3299 }
3300
3301 if (!add_string_to_array(mem_ctx, dn,
3302 (const char ***)ous,
3303 num_ous)) {
3304 TALLOC_FREE(dn);
3305 ads_msgfree(ads, res);
3306 return ADS_ERROR(LDAP_NO_MEMORY);
3307 }
3308
3309 TALLOC_FREE(dn);
3310 }
3311
3312 ads_msgfree(ads, res);
3313
3314 return status;
3315 }
3316
3317
3318 /**
3319 * pull a struct dom_sid from an extended dn string
3320 * @param mem_ctx TALLOC_CTX
3321 * @param extended_dn string
3322 * @param flags string type of extended_dn
3323 * @param sid pointer to a struct dom_sid
3324 * @return NT_STATUS_OK on success,
3325 * NT_INVALID_PARAMETER on error,
3326 * NT_STATUS_NOT_FOUND if no SID present
3327 **/
3328 ADS_STATUS ads_get_sid_from_extended_dn(TALLOC_CTX *mem_ctx,
3329 const char *extended_dn,
3330 enum ads_extended_dn_flags flags,
3331 struct dom_sid *sid)
3332 {
3333 char *p, *q, *dn;
3334
3335 if (!extended_dn) {
3336 return ADS_ERROR_NT(NT_STATUS_INVALID_PARAMETER);
3337 }
3338
3339 /* otherwise extended_dn gets stripped off */
3340 if ((dn = talloc_strdup(mem_ctx, extended_dn)) == NULL) {
3341 return ADS_ERROR_NT(NT_STATUS_INVALID_PARAMETER);
3342 }
3343 /*
3344 * ADS_EXTENDED_DN_HEX_STRING:
3345 * <GUID=238e1963cb390f4bb032ba0105525a29>;<SID=010500000000000515000000bb68c8fd6b61b427572eb04556040000>;CN=gd,OU=berlin,OU=suse,DC=ber,DC=suse,DC=de
3346 *
3347 * ADS_EXTENDED_DN_STRING (only with w2k3):
3348 * <GUID=63198e23-39cb-4b0f-b032-ba0105525a29>;<SID=S-1-5-21-4257769659-666132843-1169174103-1110>;CN=gd,OU=berlin,OU=suse,DC=ber,DC=suse,DC=de
3349 *
3350 * Object with no SID, such as an Exchange Public Folder
3351 * <GUID=28907fb4bdf6854993e7f0a10b504e7c>;CN=public,CN=Microsoft Exchange System Objects,DC=sd2k3ms,DC=west,DC=isilon,DC=com
3352 */
3353
3354 p = strchr(dn, ';');
3355 if (!p) {
3356 return ADS_ERROR_NT(NT_STATUS_INVALID_PARAMETER);
3357 }
3358
3359 if (strncmp(p, ";<SID=", strlen(";<SID=")) != 0) {
3360 DEBUG(5,("No SID present in extended dn\n"));
3361 return ADS_ERROR_NT(NT_STATUS_NOT_FOUND);
3362 }
3363
3364 p += strlen(";<SID=");
3365
3366 q = strchr(p, '>');
3367 if (!q) {
3368 return ADS_ERROR_NT(NT_STATUS_INVALID_PARAMETER);
3369 }
3370
3371 *q = '\0';
3372
3373 DEBUG(100,("ads_get_sid_from_extended_dn: sid string is %s\n", p));
3374
3375 switch (flags) {
3376
3377 case ADS_EXTENDED_DN_STRING:
3378 if (!string_to_sid(sid, p)) {
3379 return ADS_ERROR_NT(NT_STATUS_INVALID_PARAMETER);
3380 }
3381 break;
3382 case ADS_EXTENDED_DN_HEX_STRING: {
3383 fstring buf;
3384 size_t buf_len;
3385
3386 buf_len = strhex_to_str(buf, sizeof(buf), p, strlen(p));
3387 if (buf_len == 0) {
3388 return ADS_ERROR_NT(NT_STATUS_INVALID_PARAMETER);
3389 }
3390
3391 if (!sid_parse(buf, buf_len, sid)) {
3392 DEBUG(10,("failed to parse sid\n"));
3393 return ADS_ERROR_NT(NT_STATUS_INVALID_PARAMETER);
3394 }
3395 break;
3396 }
3397 default:
3398 DEBUG(10,("unknown extended dn format\n"));
3399 return ADS_ERROR_NT(NT_STATUS_INVALID_PARAMETER);
3400 }
3401
3402 return ADS_ERROR_NT(NT_STATUS_OK);
3403 }
3404
3405 /********************************************************************
3406 ********************************************************************/
3407
3408 char* ads_get_dnshostname( ADS_STRUCT *ads, TALLOC_CTX *ctx, const char *machine_name )
3409 {
3410 LDAPMessage *res = NULL;
3411 ADS_STATUS status;
3412 int count = 0;
3413 char *name = NULL;
3414
3415 status = ads_find_machine_acct(ads, &res, lp_netbios_name());
3416 if (!ADS_ERR_OK(status)) {
3417 DEBUG(0,("ads_get_dnshostname: Failed to find account for %s\n",
3418 lp_netbios_name()));
3419 goto out;
3420 }
3421
3422 if ( (count = ads_count_replies(ads, res)) != 1 ) {
3423 DEBUG(1,("ads_get_dnshostname: %d entries returned!\n", count));
3424 goto out;
3425 }
3426
3427 if ( (name = ads_pull_string(ads, ctx, res, "dNSHostName")) == NULL ) {
3428 DEBUG(0,("ads_get_dnshostname: No dNSHostName attribute!\n"));
3429 }
3430
3431 out:
3432 ads_msgfree(ads, res);
3433
3434 return name;
3435 }
3436
3437 /********************************************************************
3438 ********************************************************************/
3439
3440 char* ads_get_upn( ADS_STRUCT *ads, TALLOC_CTX *ctx, const char *machine_name )
3441 {
3442 LDAPMessage *res = NULL;
3443 ADS_STATUS status;
3444 int count = 0;
3445 char *name = NULL;
3446
3447 status = ads_find_machine_acct(ads, &res, machine_name);
3448 if (!ADS_ERR_OK(status)) {
3449 DEBUG(0,("ads_get_upn: Failed to find account for %s\n",
3450 lp_netbios_name()));
3451 goto out;
3452 }
3453
3454 if ( (count = ads_count_replies(ads, res)) != 1 ) {
3455 DEBUG(1,("ads_get_upn: %d entries returned!\n", count));
3456 goto out;
3457 }
3458
3459 if ( (name = ads_pull_string(ads, ctx, res, "userPrincipalName")) == NULL ) {
3460 DEBUG(2,("ads_get_upn: No userPrincipalName attribute!\n"));
3461 }
3462
3463 out:
3464 ads_msgfree(ads, res);
3465
3466 return name;
3467 }
3468
3469 /********************************************************************
3470 ********************************************************************/
3471
3472 char* ads_get_samaccountname( ADS_STRUCT *ads, TALLOC_CTX *ctx, const char *machine_name )
3473 {
3474 LDAPMessage *res = NULL;
3475 ADS_STATUS status;
3476 int count = 0;
3477 char *name = NULL;
3478
3479 status = ads_find_machine_acct(ads, &res, lp_netbios_name());
3480 if (!ADS_ERR_OK(status)) {
3481 DEBUG(0,("ads_get_dnshostname: Failed to find account for %s\n",
3482 lp_netbios_name()));
3483 goto out;
3484 }
3485
3486 if ( (count = ads_count_replies(ads, res)) != 1 ) {
3487 DEBUG(1,("ads_get_dnshostname: %d entries returned!\n", count));
3488 goto out;
3489 }
3490
3491 if ( (name = ads_pull_string(ads, ctx, res, "sAMAccountName")) == NULL ) {
3492 DEBUG(0,("ads_get_dnshostname: No sAMAccountName attribute!\n"));
3493 }
3494
3495 out:
3496 ads_msgfree(ads, res);
3497
3498 return name;
3499 }
3500
3501 #if 0
3502
3503 SAVED CODE - we used to join via ldap - remember how we did this. JRA.
3504
3505 /**
3506 * Join a machine to a realm
3507 * Creates the machine account and sets the machine password
3508 * @param ads connection to ads server
3509 * @param machine name of host to add
3510 * @param org_unit Organizational unit to place machine in
3511 * @return status of join
3512 **/
3513 ADS_STATUS ads_join_realm(ADS_STRUCT *ads, const char *machine_name,
3514 uint32 account_type, const char *org_unit)
3515 {
3516 ADS_STATUS status;
3517 LDAPMessage *res = NULL;
3518 char *machine;
3519
3520 /* machine name must be lowercase */
3521 machine = SMB_STRDUP(machine_name);
3522 strlower_m(machine);
3523
3524 /*
3525 status = ads_find_machine_acct(ads, (void **)&res, machine);
3526 if (ADS_ERR_OK(status) && ads_count_replies(ads, res) == 1) {
3527 DEBUG(0, ("Host account for %s already exists - deleting old account\n", machine));
3528 status = ads_leave_realm(ads, machine);
3529 if (!ADS_ERR_OK(status)) {
3530 DEBUG(0, ("Failed to delete host '%s' from the '%s' realm.\n",
3531 machine, ads->config.realm));
3532 return status;
3533 }
3534 }
3535 */
3536 status = ads_add_machine_acct(ads, machine, account_type, org_unit);
3537 if (!ADS_ERR_OK(status)) {
3538 DEBUG(0, ("ads_join_realm: ads_add_machine_acct failed (%s): %s\n", machine, ads_errstr(status)));
3539 SAFE_FREE(machine);
3540 return status;
3541 }
3542
3543 status = ads_find_machine_acct(ads, (void **)(void *)&res, machine);
3544 if (!ADS_ERR_OK(status)) {
3545 DEBUG(0, ("ads_join_realm: Host account test failed for machine %s\n", machine));
3546 SAFE_FREE(machine);
3547 return status;
3548 }
3549
3550 SAFE_FREE(machine);
3551 ads_msgfree(ads, res);
3552
3553 return status;
3554 }
3555 #endif
3556
3557 /**
3558 * Delete a machine from the realm
3559 * @param ads connection to ads server
3560 * @param hostname Machine to remove
3561 * @return status of delete
3562 **/
3563 ADS_STATUS ads_leave_realm(ADS_STRUCT *ads, const char *hostname)
3564 {
3565 ADS_STATUS status;
3566 void *msg;
3567 LDAPMessage *res;
3568 char *hostnameDN, *host;
3569 int rc;
3570 LDAPControl ldap_control;
3571 LDAPControl * pldap_control[2] = {NULL, NULL};
3572
3573 pldap_control[0] = &ldap_control;
3574 memset(&ldap_control, 0, sizeof(LDAPControl));
3575 ldap_control.ldctl_oid = discard_const_p(char, LDAP_SERVER_TREE_DELETE_OID);
3576
3577 /* hostname must be lowercase */
3578 host = SMB_STRDUP(hostname);
3579 if (!strlower_m(host)) {
3580 SAFE_FREE(host);
3581 return ADS_ERROR_SYSTEM(EINVAL);
3582 }
3583
3584 status = ads_find_machine_acct(ads, &res, host);
3585 if (!ADS_ERR_OK(status)) {
3586 DEBUG(0, ("Host account for %s does not exist.\n", host));
3587 SAFE_FREE(host);
3588 return status;
3589 }
3590
3591 msg = ads_first_entry(ads, res);
3592 if (!msg) {
3593 SAFE_FREE(host);
3594 return ADS_ERROR_SYSTEM(ENOENT);
3595 }
3596
3597 hostnameDN = ads_get_dn(ads, talloc_tos(), (LDAPMessage *)msg);
3598 if (hostnameDN == NULL) {
3599 SAFE_FREE(host);
3600 return ADS_ERROR_SYSTEM(ENOENT);
3601 }
3602
3603 rc = ldap_delete_ext_s(ads->ldap.ld, hostnameDN, pldap_control, NULL);
3604 if (rc) {
3605 DEBUG(3,("ldap_delete_ext_s failed with error code %d\n", rc));
3606 }else {
3607 DEBUG(3,("ldap_delete_ext_s succeeded with error code %d\n", rc));
3608 }
3609
3610 if (rc != LDAP_SUCCESS) {
3611 const char *attrs[] = { "cn", NULL };
3612 LDAPMessage *msg_sub;
3613
3614 /* we only search with scope ONE, we do not expect any further
3615 * objects to be created deeper */
3616
3617 status = ads_do_search_retry(ads, hostnameDN,
3618 LDAP_SCOPE_ONELEVEL,
3619 "(objectclass=*)", attrs, &res);
3620
3621 if (!ADS_ERR_OK(status)) {
3622 SAFE_FREE(host);
3623 TALLOC_FREE(hostnameDN);
3624 return status;
3625 }
3626
3627 for (msg_sub = ads_first_entry(ads, res); msg_sub;
3628 msg_sub = ads_next_entry(ads, msg_sub)) {
3629
3630 char *dn = NULL;
3631
3632 if ((dn = ads_get_dn(ads, talloc_tos(), msg_sub)) == NULL) {
3633 SAFE_FREE(host);
3634 TALLOC_FREE(hostnameDN);
3635 return ADS_ERROR(LDAP_NO_MEMORY);
3636 }
3637
3638 status = ads_del_dn(ads, dn);
3639 if (!ADS_ERR_OK(status)) {
3640 DEBUG(3,("failed to delete dn %s: %s\n", dn, ads_errstr(status)));
3641 SAFE_FREE(host);
3642 TALLOC_FREE(dn);
3643 TALLOC_FREE(hostnameDN);
3644 return status;
3645 }
3646
3647 TALLOC_FREE(dn);
3648 }
3649
3650 /* there should be no subordinate objects anymore */
3651 status = ads_do_search_retry(ads, hostnameDN,
3652 LDAP_SCOPE_ONELEVEL,
3653 "(objectclass=*)", attrs, &res);
3654
3655 if (!ADS_ERR_OK(status) || ( (ads_count_replies(ads, res)) > 0 ) ) {
3656 SAFE_FREE(host);
3657 TALLOC_FREE(hostnameDN);
3658 return status;
3659 }
3660
3661 /* delete hostnameDN now */
3662 status = ads_del_dn(ads, hostnameDN);
3663 if (!ADS_ERR_OK(status)) {
3664 SAFE_FREE(host);
3665 DEBUG(3,("failed to delete dn %s: %s\n", hostnameDN, ads_errstr(status)));
3666 TALLOC_FREE(hostnameDN);
3667 return status;
3668 }
3669 }
3670
3671 TALLOC_FREE(hostnameDN);
3672
3673 status = ads_find_machine_acct(ads, &res, host);
3674 if (ADS_ERR_OK(status) && ads_count_replies(ads, res) == 1) {
3675 DEBUG(3, ("Failed to remove host account.\n"));
3676 SAFE_FREE(host);
3677 return status;
3678 }
3679
3680 SAFE_FREE(host);
3681 return status;
3682 }
3683
3684 /**
3685 * pull all token-sids from an LDAP dn
3686 * @param ads connection to ads server
3687 * @param mem_ctx TALLOC_CTX for allocating sid array
3688 * @param dn of LDAP object
3689 * @param user_sid pointer to struct dom_sid (objectSid)
3690 * @param primary_group_sid pointer to struct dom_sid (self composed)
3691 * @param sids pointer to sid array to allocate
3692 * @param num_sids counter of SIDs pulled
3693 * @return status of token query
3694 **/
3695 ADS_STATUS ads_get_tokensids(ADS_STRUCT *ads,
3696 TALLOC_CTX *mem_ctx,
3697 const char *dn,
3698 struct dom_sid *user_sid,
3699 struct dom_sid *primary_group_sid,
3700 struct dom_sid **sids,
3701 size_t *num_sids)
3702 {
3703 ADS_STATUS status;
3704 LDAPMessage *res = NULL;
3705 int count = 0;
3706 size_t tmp_num_sids;
3707 struct dom_sid *tmp_sids;
3708 struct dom_sid tmp_user_sid;
3709 struct dom_sid tmp_primary_group_sid;
3710 uint32 pgid;
3711 const char *attrs[] = {
3712 "objectSid",
3713 "tokenGroups",
3714 "primaryGroupID",
3715 NULL
3716 };
3717
3718 status = ads_search_retry_dn(ads, &res, dn, attrs);
3719 if (!ADS_ERR_OK(status)) {
3720 return status;
3721 }
3722
3723 count = ads_count_replies(ads, res);
3724 if (count != 1) {
3725 ads_msgfree(ads, res);
3726 return ADS_ERROR_LDAP(LDAP_NO_SUCH_OBJECT);
3727 }
3728
3729 if (!ads_pull_sid(ads, res, "objectSid", &tmp_user_sid)) {
3730 ads_msgfree(ads, res);
3731 return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
3732 }
3733
3734 if (!ads_pull_uint32(ads, res, "primaryGroupID", &pgid)) {
3735 ads_msgfree(ads, res);
3736 return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
3737 }
3738
3739 {
3740 /* hack to compose the primary group sid without knowing the
3741 * domsid */
3742
3743 struct dom_sid domsid;
3744
3745 sid_copy(&domsid, &tmp_user_sid);
3746
3747 if (!sid_split_rid(&domsid, NULL)) {
3748 ads_msgfree(ads, res);
3749 return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
3750 }
3751
3752 if (!sid_compose(&tmp_primary_group_sid, &domsid, pgid)) {
3753 ads_msgfree(ads, res);
3754 return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
3755 }
3756 }
3757
3758 tmp_num_sids = ads_pull_sids(ads, mem_ctx, res, "tokenGroups", &tmp_sids);
3759
3760 if (tmp_num_sids == 0 || !tmp_sids) {
3761 ads_msgfree(ads, res);
3762 return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
3763 }
3764
3765 if (num_sids) {
3766 *num_sids = tmp_num_sids;
3767 }
3768
3769 if (sids) {
3770 *sids = tmp_sids;
3771 }
3772
3773 if (user_sid) {
3774 *user_sid = tmp_user_sid;
3775 }
3776
3777 if (primary_group_sid) {
3778 *primary_group_sid = tmp_primary_group_sid;
3779 }
3780
3781 DEBUG(10,("ads_get_tokensids: returned %d sids\n", (int)tmp_num_sids + 2));
3782
3783 ads_msgfree(ads, res);
3784 return ADS_ERROR_LDAP(LDAP_SUCCESS);
3785 }
3786
3787 /**
3788 * Find a sAMAccoutName in LDAP
3789 * @param ads connection to ads server
3790 * @param mem_ctx TALLOC_CTX for allocating sid array
3791 * @param samaccountname to search
3792 * @param uac_ret uint32 pointer userAccountControl attribute value
3793 * @param dn_ret pointer to dn
3794 * @return status of token query
3795 **/
3796 ADS_STATUS ads_find_samaccount(ADS_STRUCT *ads,
3797 TALLOC_CTX *mem_ctx,
3798 const char *samaccountname,
3799 uint32 *uac_ret,
3800 const char **dn_ret)
3801 {
3802 ADS_STATUS status;
3803 const char *attrs[] = { "userAccountControl", NULL };
3804 const char *filter;
3805 LDAPMessage *res = NULL;
3806 char *dn = NULL;
3807 uint32 uac = 0;
3808
3809 filter = talloc_asprintf(mem_ctx, "(&(objectclass=user)(sAMAccountName=%s))",
3810 samaccountname);
3811 if (filter == NULL) {
3812 status = ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
3813 goto out;
3814 }
3815
3816 status = ads_do_search_all(ads, ads->config.bind_path,
3817 LDAP_SCOPE_SUBTREE,
3818 filter, attrs, &res);
3819
3820 if (!ADS_ERR_OK(status)) {
3821 goto out;
3822 }
3823
3824 if (ads_count_replies(ads, res) != 1) {
3825 status = ADS_ERROR(LDAP_NO_RESULTS_RETURNED);
3826 goto out;
3827 }
3828
3829 dn = ads_get_dn(ads, talloc_tos(), res);
3830 if (dn == NULL) {
3831 status = ADS_ERROR(LDAP_NO_MEMORY);
3832 goto out;
3833 }
3834
3835 if (!ads_pull_uint32(ads, res, "userAccountControl", &uac)) {
3836 status = ADS_ERROR(LDAP_NO_SUCH_ATTRIBUTE);
3837 goto out;
3838 }
3839
3840 if (uac_ret) {
3841 *uac_ret = uac;
3842 }
3843
3844 if (dn_ret) {
3845 *dn_ret = talloc_strdup(mem_ctx, dn);
3846 if (!*dn_ret) {
3847 status = ADS_ERROR(LDAP_NO_MEMORY);
3848 goto out;
3849 }
3850 }
3851 out:
3852 TALLOC_FREE(dn);
3853 ads_msgfree(ads, res);
3854
3855 return status;
3856 }
3857
3858 /**
3859 * find our configuration path
3860 * @param ads connection to ads server
3861 * @param mem_ctx Pointer to talloc context
3862 * @param config_path Pointer to the config path
3863 * @return status of search
3864 **/
3865 ADS_STATUS ads_config_path(ADS_STRUCT *ads,
3866 TALLOC_CTX *mem_ctx,
3867 char **config_path)
3868 {
3869 ADS_STATUS status;
3870 LDAPMessage *res = NULL;
3871 const char *config_context = NULL;
3872 const char *attrs[] = { "configurationNamingContext", NULL };
3873
3874 status = ads_do_search(ads, "", LDAP_SCOPE_BASE,
3875 "(objectclass=*)", attrs, &res);
3876 if (!ADS_ERR_OK(status)) {
3877 return status;
3878 }
3879
3880 config_context = ads_pull_string(ads, mem_ctx, res,
3881 "configurationNamingContext");
3882 ads_msgfree(ads, res);
3883 if (!config_context) {
3884 return ADS_ERROR(LDAP_NO_MEMORY);
3885 }
3886
3887 if (config_path) {
3888 *config_path = talloc_strdup(mem_ctx, config_context);
3889 if (!*config_path) {
3890 return ADS_ERROR(LDAP_NO_MEMORY);
3891 }
3892 }
3893
3894 return ADS_ERROR(LDAP_SUCCESS);
3895 }
3896
3897 /**
3898 * find the displayName of an extended right
3899 * @param ads connection to ads server
3900 * @param config_path The config path
3901 * @param mem_ctx Pointer to talloc context
3902 * @param GUID struct of the rightsGUID
3903 * @return status of search
3904 **/
3905 const char *ads_get_extended_right_name_by_guid(ADS_STRUCT *ads,
3906 const char *config_path,
3907 TALLOC_CTX *mem_ctx,
3908 const struct GUID *rights_guid)
3909 {
3910 ADS_STATUS rc;
3911 LDAPMessage *res = NULL;
3912 char *expr = NULL;
3913 const char *attrs[] = { "displayName", NULL };
3914 const char *result = NULL;
3915 const char *path;
3916
3917 if (!ads || !mem_ctx || !rights_guid) {
3918 goto done;
3919 }
3920
3921 expr = talloc_asprintf(mem_ctx, "(rightsGuid=%s)",
3922 GUID_string(mem_ctx, rights_guid));
3923 if (!expr) {
3924 goto done;
3925 }
3926
3927 path = talloc_asprintf(mem_ctx, "cn=Extended-Rights,%s", config_path);
3928 if (!path) {
3929 goto done;
3930 }
3931
3932 rc = ads_do_search_retry(ads, path, LDAP_SCOPE_SUBTREE,
3933 expr, attrs, &res);
3934 if (!ADS_ERR_OK(rc)) {
3935 goto done;
3936 }
3937
3938 if (ads_count_replies(ads, res) != 1) {
3939 goto done;
3940 }
3941
3942 result = ads_pull_string(ads, mem_ctx, res, "displayName");
3943
3944 done:
3945 ads_msgfree(ads, res);
3946 return result;
3947 }
3948
3949 /**
3950 * verify or build and verify an account ou
3951 * @param mem_ctx Pointer to talloc context
3952 * @param ads connection to ads server
3953 * @param account_ou
3954 * @return status of search
3955 **/
3956
3957 ADS_STATUS ads_check_ou_dn(TALLOC_CTX *mem_ctx,
3958 ADS_STRUCT *ads,
3959 const char **account_ou)
3960 {
3961 char **exploded_dn;
3962 const char *name;
3963 char *ou_string;
3964
3965 exploded_dn = ldap_explode_dn(*account_ou, 0);
3966 if (exploded_dn) {
3967 ldap_value_free(exploded_dn);
3968 return ADS_SUCCESS;
3969 }
3970
3971 ou_string = ads_ou_string(ads, *account_ou);
3972 if (!ou_string) {
3973 return ADS_ERROR_LDAP(LDAP_INVALID_DN_SYNTAX);
3974 }
3975
3976 name = talloc_asprintf(mem_ctx, "%s,%s", ou_string,
3977 ads->config.bind_path);
3978 SAFE_FREE(ou_string);
3979
3980 if (!name) {
3981 return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
3982 }
3983
3984 exploded_dn = ldap_explode_dn(name, 0);
3985 if (!exploded_dn) {
3986 return ADS_ERROR_LDAP(LDAP_INVALID_DN_SYNTAX);
3987 }
3988 ldap_value_free(exploded_dn);
3989
3990 *account_ou = name;
3991 return ADS_SUCCESS;
3992 }
3993
3994 #endif
Samba GIT mirror