sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-01-13 13:18:06 +03:00
Code

r10341: remove unused libads/ code, we'll never use this in samba4,

Browse Source 
and have replacements for the most stuff already in the tree

discussed with abartlet

metze
This commit is contained in:
Stefan Metzmacher 2005-09-20 08:30:30 +00:00 committed by Gerald (Jerry) Carter
parent a34d0771ce
commit 18facf90e9
11 changed files with 0 additions and 4589 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

234
source/libads/ads_ldap.c
View File

@ -1,234 +0,0 @@
/*
Unix SMB/CIFS implementation.
Winbind ADS backend functions
Copyright (C) Andrew Tridgell 2001
Copyright (C) Andrew Bartlett 2002
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
*/
#include "includes.h"
#ifdef HAVE_LDAP
/* convert a single name to a sid in a domain */
NTSTATUS ads_name_to_sid(ADS_STRUCT *ads,
const char *name,
DOM_SID *sid,
enum samr_SidType *type)
{
const char *attrs[] = {"objectSid", "sAMAccountType", NULL};
int count;
ADS_STATUS rc;
void *res = NULL;
char *ldap_exp;
uint32_t t;
NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
char *escaped_name = escape_ldap_string_alloc(name);
char *escaped_realm = escape_ldap_string_alloc(ads->config.realm);
if (!escaped_name || !escaped_realm) {
status = NT_STATUS_NO_MEMORY;
goto done;
}
if (asprintf(&ldap_exp, "(|(sAMAccountName=%s)(userPrincipalName=%s@%s))",
escaped_name, escaped_name, escaped_realm) == -1) {
DEBUG(1,("ads_name_to_sid: asprintf failed!\n"));
status = NT_STATUS_NO_MEMORY;
goto done;
}
rc = ads_search_retry(ads, &res, ldap_exp, attrs);
free(ldap_exp);
if (!ADS_ERR_OK(rc)) {
DEBUG(1,("name_to_sid ads_search: %s\n", ads_errstr(rc)));
goto done;
}
count = ads_count_replies(ads, res);
if (count != 1) {
DEBUG(1,("name_to_sid: %s not found\n", name));
goto done;
}
if (!ads_pull_sid(ads, res, "objectSid", sid)) {
DEBUG(1,("No sid for %s !?\n", name));
goto done;
}
if (!ads_pull_uint32_t(ads, res, "sAMAccountType", &t)) {
DEBUG(1,("No sAMAccountType for %s !?\n", name));
goto done;
}
*type = ads_atype_map(t);
status = NT_STATUS_OK;
DEBUG(3,("ads name_to_sid mapped %s\n", name));
done:
if (res) ads_msgfree(ads, res);
SAFE_FREE(escaped_name);
SAFE_FREE(escaped_realm);
return status;
}
/* convert a sid to a user or group name */
NTSTATUS ads_sid_to_name(ADS_STRUCT *ads,
TALLOC_CTX *mem_ctx,
const DOM_SID *sid,
char **name,
enum samr_SidType *type)
{
const char *attrs[] = {"userPrincipalName",
"sAMAccountName",
"sAMAccountType", NULL};
ADS_STATUS rc;
void *msg = NULL;
char *ldap_exp = NULL;
char *sidstr = NULL;
uint32_t atype;
NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
if (!(sidstr = sid_binstring(sid))) {
DEBUG(1,("ads_sid_to_name: sid_binstring failed!\n"));
status = NT_STATUS_NO_MEMORY;
goto done;
}
if (asprintf(&ldap_exp, "(objectSid=%s)", sidstr) == -1) {
DEBUG(1,("ads_sid_to_name: asprintf failed!\n"));
status = NT_STATUS_NO_MEMORY;
goto done;
}
rc = ads_search_retry(ads, &msg, ldap_exp, attrs);
if (!ADS_ERR_OK(rc)) {
status = ads_ntstatus(rc);
DEBUG(1,("ads_sid_to_name ads_search: %s\n", ads_errstr(rc)));
goto done;
}
if (!ads_pull_uint32_t(ads, msg, "sAMAccountType", &atype)) {
goto done;
}
*name = ads_pull_username(ads, mem_ctx, msg);
if (!*name) {
DEBUG(1,("ads_sid_to_name: ads_pull_username retuned NULL!\n"));
status = NT_STATUS_NO_MEMORY;
goto done;
}
*type = ads_atype_map(atype);
status = NT_STATUS_OK;
DEBUG(3,("ads sid_to_name mapped %s\n", *name));
done:
if (msg) ads_msgfree(ads, msg);
SAFE_FREE(ldap_exp);
SAFE_FREE(sidstr);
return status;
}
/* convert a sid to a DN */
ADS_STATUS ads_sid_to_dn(ADS_STRUCT *ads,
TALLOC_CTX *mem_ctx,
const DOM_SID *sid,
char **dn)
{
ADS_STATUS rc;
LDAPMessage *msg = NULL;
LDAPMessage *entry = NULL;
char *ldap_exp;
char *sidstr = NULL;
int count;
char *dn2 = NULL;
const char *attr[] = {
"dn",
NULL
};
if (!(sidstr = sid_binstring(sid))) {
DEBUG(1,("ads_sid_to_dn: sid_binstring failed!\n"));
rc = ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
goto done;
}
if(!(ldap_exp = talloc_asprintf(mem_ctx, "(objectSid=%s)", sidstr))) {
DEBUG(1,("ads_sid_to_dn: talloc_asprintf failed!\n"));
rc = ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
goto done;
}
rc = ads_search_retry(ads, (void **)&msg, ldap_exp, attr);
if (!ADS_ERR_OK(rc)) {
DEBUG(1,("ads_sid_to_dn ads_search: %s\n", ads_errstr(rc)));
goto done;
}
if ((count = ads_count_replies(ads, msg)) != 1) {
fstring sid_string;
DEBUG(1,("ads_sid_to_dn (sid=%s): Not found (count=%d)\n",
sid_to_string(sid_string, sid), count));
rc = ADS_ERROR_NT(NT_STATUS_UNSUCCESSFUL);
goto done;
}
entry = ads_first_entry(ads, msg);
dn2 = ads_get_dn(ads, entry);
if (!dn2) {
rc = ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
goto done;
}
*dn = talloc_strdup(mem_ctx, dn2);
if (!*dn) {
ads_memfree(ads, dn2);
rc = ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
goto done;
}
rc = ADS_ERROR_NT(NT_STATUS_OK);
DEBUG(3,("ads sid_to_dn mapped %s\n", dn2));
SAFE_FREE(dn2);
done:
if (msg) ads_msgfree(ads, msg);
if (dn2) ads_memfree(ads, dn2);
SAFE_FREE(sidstr);
return rc;
}
#endif

142
source/libads/ads_status.c
View File

@ -1,142 +0,0 @@
/*
Unix SMB/CIFS implementation.
ads (active directory) utility library
Copyright (C) Andrew Tridgell 2001
Copyright (C) Remus Koos 2001
Copyright (C) Andrew Bartlett 2001
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
*/
#include "includes.h"
/*
build a ADS_STATUS structure
*/
ADS_STATUS ads_build_error(enum ads_error_type etype,
int rc, int minor_status)
{
ADS_STATUS ret;
if (etype == ENUM_ADS_ERROR_NT) {
DEBUG(0,("don't use ads_build_error with ENUM_ADS_ERROR_NT!\n"));
ret.err.rc = -1;
ret.error_type = ENUM_ADS_ERROR_SYSTEM;
ret.minor_status = 0;
return ret;
}
ret.err.rc = rc;
ret.error_type = etype;
ret.minor_status = minor_status;
return ret;
}
ADS_STATUS ads_build_nt_error(enum ads_error_type etype,
NTSTATUS nt_status)
{
ADS_STATUS ret;
if (etype != ENUM_ADS_ERROR_NT) {
DEBUG(0,("don't use ads_build_nt_error without ENUM_ADS_ERROR_NT!\n"));
ret.err.rc = -1;
ret.error_type = ENUM_ADS_ERROR_SYSTEM;
ret.minor_status = 0;
return ret;
}
ret.err.nt_status = nt_status;
ret.error_type = etype;
ret.minor_status = 0;
return ret;
}
/*
do a rough conversion between ads error codes and NT status codes
we'll need to fill this in more
*/
NTSTATUS ads_ntstatus(ADS_STATUS status)
{
if (status.error_type == ENUM_ADS_ERROR_NT){
return status.err.nt_status;
}
#ifdef HAVE_LDAP
if ((status.error_type == ENUM_ADS_ERROR_LDAP)
&& (status.err.rc == LDAP_NO_MEMORY)) {
return NT_STATUS_NO_MEMORY;
}
#endif
#ifdef HAVE_KRB5
if (status.error_type == ENUM_ADS_ERROR_KRB5) {
if (status.err.rc == KRB5KDC_ERR_PREAUTH_FAILED) {
return NT_STATUS_LOGON_FAILURE;
} else if (status.err.rc == KRB5_KDC_UNREACH) {
return NT_STATUS_NO_LOGON_SERVERS;
}
}
#endif
if (ADS_ERR_OK(status)) return NT_STATUS_OK;
return NT_STATUS_UNSUCCESSFUL;
}
/*
return a string for an error from a ads routine
*/
const char *ads_errstr(ADS_STATUS status)
{
uint32_t msg_ctx;
static char *ret;
SAFE_FREE(ret);
msg_ctx = 0;
switch (status.error_type) {
case ENUM_ADS_ERROR_SYSTEM:
return strerror(status.err.rc);
#ifdef HAVE_LDAP
case ENUM_ADS_ERROR_LDAP:
return ldap_err2string(status.err.rc);
#endif
#ifdef HAVE_KRB5
case ENUM_ADS_ERROR_KRB5:
return error_message(status.err.rc);
#endif
#ifdef HAVE_GSSAPI
case ENUM_ADS_ERROR_GSS:
{
uint32_t minor;
gss_buffer_desc msg1, msg2;
msg1.value = NULL;
msg2.value = NULL;
gss_display_status(&minor, status.err.rc, GSS_C_GSS_CODE,
GSS_C_NULL_OID, &msg_ctx, &msg1);
gss_display_status(&minor, status.minor_status, GSS_C_MECH_CODE,
GSS_C_NULL_OID, &msg_ctx, &msg2);
asprintf(&ret, "%s : %s", (char *)msg1.value, (char *)msg2.value);
gss_release_buffer(&minor, &msg1);
gss_release_buffer(&minor, &msg2);
return ret;
}
#endif
case ENUM_ADS_ERROR_NT:
return get_friendly_nt_error_msg(ads_ntstatus(status));
default:
return "Unknown ADS error type!? (not compiled in?)";
}
}

140
source/libads/ads_struct.c
View File

@ -1,140 +0,0 @@
/*
Unix SMB/CIFS implementation.
ads (active directory) utility library
Copyright (C) Andrew Tridgell 2001
Copyright (C) Andrew Bartlett 2001
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
*/
#include "includes.h"
/* return a ldap dn path from a string, given separators and field name
caller must free
*/
char *ads_build_path(const char *realm, const char *sep, const char *field, int reverse)
{
char *p, *r;
int numbits = 0;
char *ret;
int len;
r = strdup(realm);
if (!r || !*r)
return r;
for (p=r; *p; p++)
if (strchr(sep, *p))
numbits++;
len = (numbits+1)*(strlen(field)+1) + strlen(r) + 1;
ret = malloc(len);
if (!ret)
return NULL;
strlcpy(ret,field, len);
p=strtok(r,sep);
strlcat(ret, p, len);
while ((p=strtok(NULL,sep))) {
char *s;
if (reverse)
asprintf(&s, "%s%s,%s", field, p, ret);
else
asprintf(&s, "%s,%s%s", ret, field, p);
free(ret);
ret = s;
}
free(r);
return ret;
}
/* return a dn of the form "dc=AA,dc=BB,dc=CC" from a
realm of the form AA.BB.CC
caller must free
*/
char *ads_build_dn(const char *realm)
{
return ads_build_path(realm, ".", "dc=", 0);
}
#ifndef LDAP_PORT
#define LDAP_PORT 389
#endif
/*
initialise a ADS_STRUCT, ready for some ads_ ops
*/
ADS_STRUCT *ads_init(const char *realm,
const char *workgroup,
const char *ldap_server)
{
ADS_STRUCT *ads;
ads = smb_xmalloc_p(ADS_STRUCT);
ZERO_STRUCTP(ads);
ads->server.realm = realm? strdup(realm) : NULL;
ads->server.workgroup = workgroup ? strdup(workgroup) : NULL;
ads->server.ldap_server = ldap_server? strdup(ldap_server) : NULL;
/* we need to know if this is a foreign realm */
if (realm && *realm && !strequal(lp_realm(), realm)) {
ads->server.foreign = 1;
}
if (workgroup && *workgroup && !strequal(lp_workgroup(), workgroup)) {
ads->server.foreign = 1;
}
return ads;
}
/* a simpler ads_init() interface using all defaults */
ADS_STRUCT *ads_init_simple(void)
{
return ads_init(NULL, NULL, NULL);
}
/*
free the memory used by the ADS structure initialized with 'ads_init(...)'
*/
void ads_destroy(ADS_STRUCT **ads)
{
if (ads && *ads) {
#if HAVE_LDAP
if ((*ads)->ld) ldap_unbind((*ads)->ld);
#endif
SAFE_FREE((*ads)->server.realm);
SAFE_FREE((*ads)->server.workgroup);
SAFE_FREE((*ads)->server.ldap_server);
SAFE_FREE((*ads)->server.ldap_uri);
SAFE_FREE((*ads)->auth.realm);
SAFE_FREE((*ads)->auth.password);
SAFE_FREE((*ads)->auth.user_name);
SAFE_FREE((*ads)->auth.kdc_server);
SAFE_FREE((*ads)->config.realm);
SAFE_FREE((*ads)->config.bind_path);
SAFE_FREE((*ads)->config.ldap_server_name);
ZERO_STRUCTP(*ads);
SAFE_FREE(*ads);
}
}

159
source/libads/disp_sec.c
View File

@ -1,159 +0,0 @@
/*
Unix SMB/CIFS implementation.
Samba utility functions. ADS stuff
Copyright (C) Alexey Kotovich 2002
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
*/
#include "includes.h"
static struct perm_mask_str {
uint32_t mask;
const char *str;
} perms[] = {
{SEC_RIGHTS_FULL_CTRL, "[Full Control]"},
{SEC_RIGHTS_LIST_CONTENTS, "[List Contents]"},
{SEC_RIGHTS_LIST_OBJECT, "[List Object]"},
{SEC_RIGHTS_READ_ALL_PROP, "[Read All Properties]"},
{SEC_RIGHTS_READ_PERMS, "[Read Permissions]"},
{SEC_RIGHTS_WRITE_ALL_VALID, "[All validate writes]"},
{SEC_RIGHTS_WRITE_ALL_PROP, "[Write All Properties]"},
{SEC_RIGHTS_MODIFY_PERMS, "[Modify Permissions]"},
{SEC_RIGHTS_MODIFY_OWNER, "[Modify Owner]"},
{SEC_RIGHTS_CREATE_CHILD, "[Create All Child Objects]"},
{SEC_RIGHTS_DELETE, "[Delete]"},
{SEC_RIGHTS_DELETE_SUBTREE, "[Delete Subtree]"},
{SEC_RIGHTS_DELETE_CHILD, "[Delete All Child Objects]"},
{SEC_RIGHTS_CHANGE_PASSWD, "[Change Password]"},
{SEC_RIGHTS_RESET_PASSWD, "[Reset Password]"},
{0, 0}
};
/* convert a security permissions into a string */
static void ads_disp_perms(uint32_t type)
{
int i = 0;
int j = 0;
printf("Permissions: ");
if (type == SEC_RIGHTS_FULL_CTRL) {
printf("%s\n", perms[j].str);
return;
}
for (i = 0; i < 32; i++) {
if (type & (1 << i)) {
for (j = 1; perms[j].str; j ++) {
if (perms[j].mask == (((uint_t) 1) << i)) {
printf("\n\t%s", perms[j].str);
}
}
type &= ~(1 << i);
}
}
/* remaining bits get added on as-is */
if (type != 0) {
printf("[%08x]", type);
}
puts("");
}
/* display ACE */
static void ads_disp_ace(SEC_ACE *sec_ace)
{
const char *access_type = "UNKNOWN";
if (!sec_ace_object(sec_ace->type)) {
printf("------- ACE (type: 0x%02x, flags: 0x%02x, size: 0x%02x, mask: 0x%x)\n",
sec_ace->type,
sec_ace->flags,
sec_ace->size,
sec_ace->info.mask);
} else {
printf("------- ACE (type: 0x%02x, flags: 0x%02x, size: 0x%02x, mask: 0x%x, object flags: 0x%x)\n",
sec_ace->type,
sec_ace->flags,
sec_ace->size,
sec_ace->info.mask,
sec_ace->obj_flags);
}
if (sec_ace->type == SEC_ACE_TYPE_ACCESS_ALLOWED) {
access_type = "ALLOWED";
} else if (sec_ace->type == SEC_ACE_TYPE_ACCESS_DENIED) {
access_type = "DENIED";
} else if (sec_ace->type == SEC_ACE_TYPE_SYSTEM_AUDIT) {
access_type = "SYSTEM AUDIT";
} else if (sec_ace->type == SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT) {
access_type = "ALLOWED OBJECT";
} else if (sec_ace->type == SEC_ACE_TYPE_ACCESS_DENIED_OBJECT) {
access_type = "DENIED OBJECT";
} else if (sec_ace->type == SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT) {
access_type = "AUDIT OBJECT";
}
printf("access SID: %s\naccess type: %s\n",
sid_string_static(&sec_ace->trustee), access_type);
ads_disp_perms(sec_ace->info.mask);
}
/* display ACL */
static void ads_disp_acl(SEC_ACL *sec_acl, const char *type)
{
if (!sec_acl)
printf("------- (%s) ACL not present\n", type);
else {
printf("------- (%s) ACL (revision: %d, size: %d, number of ACEs: %d)\n",
type,
sec_acl->revision,
sec_acl->size,
sec_acl->num_aces);
}
}
/* display SD */
void ads_disp_sd(SEC_DESC *sd)
{
int i;
printf("-------------- Security Descriptor (revision: %d, type: 0x%02x)\n",
sd->revision,
sd->type);
printf("owner SID: %s\n", sid_string_static(sd->owner_sid));
printf("group SID: %s\n", sid_string_static(sd->grp_sid));
ads_disp_acl(sd->sacl, "system");
for (i = 0; i < sd->sacl->num_aces; i ++)
ads_disp_ace(&sd->sacl->ace[i]);
ads_disp_acl(sd->dacl, "user");
for (i = 0; i < sd->dacl->num_aces; i ++)
ads_disp_ace(&sd->dacl->ace[i]);
printf("-------------- End Of Security Descriptor\n");
}

689
source/libads/krb5_setpw.c
View File

@ -1,689 +0,0 @@
/*
Unix SMB/CIFS implementation.
krb5 set password implementation
Copyright (C) Andrew Tridgell 2001
Copyright (C) Remus Koos 2001 (remuskoos@yahoo.com)
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
*/
#include "includes.h"
#ifdef HAVE_KRB5
#define DEFAULT_KPASSWD_PORT 464
#define KRB5_KPASSWD_VERS_CHANGEPW 1
#define KRB5_KPASSWD_VERS_SETPW 2
#define KRB5_KPASSWD_VERS_SETPW_MS 0xff80
#define KRB5_KPASSWD_ACCESSDENIED 5
#define KRB5_KPASSWD_BAD_VERSION 6
#define KRB5_KPASSWD_INITIAL_FLAG_NEEDED 7
/* Those are defined by kerberos-set-passwd-02.txt and are probably
* not supported by M$ implementation */
#define KRB5_KPASSWD_POLICY_REJECT 8
#define KRB5_KPASSWD_BAD_PRINCIPAL 9
#define KRB5_KPASSWD_ETYPE_NOSUPP 10
/* This implements kerberos password change protocol as specified in
* kerb-chg-password-02.txt and kerberos-set-passwd-02.txt
* as well as microsoft version of the protocol
* as specified in kerberos-set-passwd-00.txt
*/
static DATA_BLOB encode_krb5_setpw(const char *principal, const char *password)
{
char* princ_part1 = NULL;
char* princ_part2 = NULL;
char* realm = NULL;
char* c;
char* princ;
struct asn1_data req;
DATA_BLOB ret;
princ = strdup(principal);
if ((c = strchr(princ, '/')) == NULL) {
c = princ;
} else {
*c = '\0';
c++;
princ_part1 = princ;
}
princ_part2 = c;
if ((c = strchr(c, '@')) != NULL) {
*c = '\0';
c++;
realm = c;
}
memset(&req, 0, sizeof(req));
asn1_push_tag(&req, ASN1_SEQUENCE(0));
asn1_push_tag(&req, ASN1_CONTEXT(0));
asn1_write_OctetString(&req, password, strlen(password));
asn1_pop_tag(&req);
asn1_push_tag(&req, ASN1_CONTEXT(1));
asn1_push_tag(&req, ASN1_SEQUENCE(0));
asn1_push_tag(&req, ASN1_CONTEXT(0));
asn1_write_Integer(&req, 1);
asn1_pop_tag(&req);
asn1_push_tag(&req, ASN1_CONTEXT(1));
asn1_push_tag(&req, ASN1_SEQUENCE(0));
if (princ_part1)
asn1_write_GeneralString(&req, princ_part1);
asn1_write_GeneralString(&req, princ_part2);
asn1_pop_tag(&req);
asn1_pop_tag(&req);
asn1_pop_tag(&req);
asn1_pop_tag(&req);
asn1_push_tag(&req, ASN1_CONTEXT(2));
asn1_write_GeneralString(&req, realm);
asn1_pop_tag(&req);
asn1_pop_tag(&req);
ret = data_blob(req.data, req.length);
asn1_free(&req);
free(princ);
return ret;
}
static krb5_error_code build_kpasswd_request(uint16_t pversion,
krb5_context context,
krb5_auth_context auth_context,
krb5_data *ap_req,
const char *princ,
const char *passwd,
krb5_data *packet)
{
krb5_error_code ret;
krb5_data cipherpw;
krb5_data encoded_setpw;
krb5_replay_data replay;
char *p;
DATA_BLOB setpw;
ret = krb5_auth_con_setflags(context,
auth_context,KRB5_AUTH_CONTEXT_DO_SEQUENCE);
if (ret) {
DEBUG(1,("krb5_auth_con_setflags failed (%s)\n",
error_message(ret)));
return ret;
}
/* handle protocol differences in chpw and setpw */
if (pversion == KRB5_KPASSWD_VERS_CHANGEPW)
setpw = data_blob(passwd, strlen(passwd));
else if (pversion == KRB5_KPASSWD_VERS_SETPW ||
pversion == KRB5_KPASSWD_VERS_SETPW_MS)
setpw = encode_krb5_setpw(princ, passwd);
else
return EINVAL;
encoded_setpw.data = (char *)setpw.data;
encoded_setpw.length = setpw.length;
ret = krb5_mk_priv(context, auth_context,
&encoded_setpw, &cipherpw, &replay);
data_blob_free(&setpw); /*from 'encode_krb5_setpw(...)' */
if (ret) {
DEBUG(1,("krb5_mk_priv failed (%s)\n", error_message(ret)));
return ret;
}
packet->data = (char *)malloc(ap_req->length + cipherpw.length + 6);
if (!packet->data)
return -1;
/* see the RFC for details */
p = ((char *)packet->data) + 2;
RSSVAL(p, 0, pversion);
p += 2;
RSSVAL(p, 0, ap_req->length);
p += 2;
memcpy(p, ap_req->data, ap_req->length);
p += ap_req->length;
memcpy(p, cipherpw.data, cipherpw.length);
p += cipherpw.length;
packet->length = PTR_DIFF(p,packet->data);
RSSVAL(packet->data, 0, packet->length);
free(cipherpw.data); /* from 'krb5_mk_priv(...)' */
return 0;
}
static const struct kpasswd_errors {
int result_code;
const char *error_string;
} kpasswd_errors[] = {
{KRB5_KPASSWD_MALFORMED, "Malformed request error"},
{KRB5_KPASSWD_HARDERROR, "Server error"},
{KRB5_KPASSWD_AUTHERROR, "Authentication error"},
{KRB5_KPASSWD_SOFTERROR, "Password change rejected"},
{KRB5_KPASSWD_ACCESSDENIED, "Client does not have proper authorization"},
{KRB5_KPASSWD_BAD_VERSION, "Protocol version not supported"},
{KRB5_KPASSWD_INITIAL_FLAG_NEEDED, "Authorization ticket must have initial flag set"},
{KRB5_KPASSWD_POLICY_REJECT, "Password rejected due to policy requirements"},
{KRB5_KPASSWD_BAD_PRINCIPAL, "Target principal does not exist"},
{KRB5_KPASSWD_ETYPE_NOSUPP, "Unsupported encryption type"},
{0, NULL}
};
static krb5_error_code setpw_result_code_string(krb5_context context,
int result_code,
const char **code_string)
{
uint_t idx = 0;
while (kpasswd_errors[idx].error_string != NULL) {
if (kpasswd_errors[idx].result_code ==
result_code) {
*code_string = kpasswd_errors[idx].error_string;
return 0;
}
idx++;
}
*code_string = "Password change failed";
return (0);
}
static krb5_error_code parse_setpw_reply(krb5_context context,
krb5_auth_context auth_context,
krb5_data *packet)
{
krb5_data ap_rep;
char *p;
int vnum, ret, res_code;
krb5_data cipherresult;
krb5_data clearresult;
krb5_ap_rep_enc_part *ap_rep_enc;
krb5_replay_data replay;
if (packet->length < 4) {
return KRB5KRB_AP_ERR_MODIFIED;
}
p = packet->data;
if (((char *)packet->data)[0] == 0x7e || ((char *)packet->data)[0] == 0x5e) {
/* it's an error packet. We should parse it ... */
DEBUG(1,("Got error packet 0x%x from kpasswd server\n",
((char *)packet->data)[0]));
return KRB5KRB_AP_ERR_MODIFIED;
}
if (RSVAL(p, 0) != packet->length) {
DEBUG(1,("Bad packet length (%d/%d) from kpasswd server\n",
RSVAL(p, 0), packet->length));
return KRB5KRB_AP_ERR_MODIFIED;
}
p += 2;
vnum = RSVAL(p, 0); p += 2;
/* FIXME: According to standard there is only one type of reply */
if (vnum != KRB5_KPASSWD_VERS_SETPW &&
vnum != KRB5_KPASSWD_VERS_SETPW_MS &&
vnum != KRB5_KPASSWD_VERS_CHANGEPW) {
DEBUG(1,("Bad vnum (%d) from kpasswd server\n", vnum));
return KRB5KDC_ERR_BAD_PVNO;
}
ap_rep.length = RSVAL(p, 0); p += 2;
if (p + ap_rep.length >= (char *)packet->data + packet->length) {
DEBUG(1,("ptr beyond end of packet from kpasswd server\n"));
return KRB5KRB_AP_ERR_MODIFIED;
}
if (ap_rep.length == 0) {
DEBUG(1,("got unencrypted setpw result?!\n"));
return KRB5KRB_AP_ERR_MODIFIED;
}
/* verify ap_rep */
ap_rep.data = p;
p += ap_rep.length;
ret = krb5_rd_rep(context, auth_context, &ap_rep, &ap_rep_enc);
if (ret) {
DEBUG(1,("failed to rd setpw reply (%s)\n", error_message(ret)));
return KRB5KRB_AP_ERR_MODIFIED;
}
krb5_free_ap_rep_enc_part(context, ap_rep_enc);
cipherresult.data = p;
cipherresult.length = ((char *)packet->data + packet->length) - p;
ret = krb5_rd_priv(context, auth_context, &cipherresult, &clearresult,
&replay);
if (ret) {
DEBUG(1,("failed to decrypt setpw reply (%s)\n", error_message(ret)));
return KRB5KRB_AP_ERR_MODIFIED;
}
if (clearresult.length < 2) {
free(clearresult.data);
ret = KRB5KRB_AP_ERR_MODIFIED;
return KRB5KRB_AP_ERR_MODIFIED;
}
p = clearresult.data;
res_code = RSVAL(p, 0);
free(clearresult.data);
if ((res_code < KRB5_KPASSWD_SUCCESS) ||
(res_code > KRB5_KPASSWD_ETYPE_NOSUPP)) {
return KRB5KRB_AP_ERR_MODIFIED;
}
if(res_code == KRB5_KPASSWD_SUCCESS)
return 0;
else {
const char *errstr;
setpw_result_code_string(context, res_code, &errstr);
DEBUG(1, ("Error changing password: %s\n", errstr));
switch(res_code) {
case KRB5_KPASSWD_ACCESSDENIED:
return KRB5KDC_ERR_BADOPTION;
break;
case KRB5_KPASSWD_INITIAL_FLAG_NEEDED:
return KRB5KDC_ERR_BADOPTION;
/* return KV5M_ALT_METHOD; MIT-only define */
break;
case KRB5_KPASSWD_ETYPE_NOSUPP:
return KRB5KDC_ERR_ETYPE_NOSUPP;
break;
case KRB5_KPASSWD_BAD_PRINCIPAL:
return KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
break;
case KRB5_KPASSWD_POLICY_REJECT:
return KRB5KDC_ERR_POLICY;
break;
default:
return KRB5KRB_ERR_GENERIC;
break;
}
}
}
static ADS_STATUS do_krb5_kpasswd_request(krb5_context context,
const char *kdc_host,
uint16_t pversion,
krb5_creds *credsp,
const char *princ,
const char *newpw)
{
krb5_auth_context auth_context = NULL;
krb5_data ap_req, chpw_req, chpw_rep;
int ret, sock, addr_len;
struct sockaddr remote_addr, local_addr;
krb5_address local_kaddr, remote_kaddr;
ret = krb5_mk_req_extended(context, &auth_context, AP_OPTS_USE_SUBKEY,
NULL, credsp, &ap_req);
if (ret) {
DEBUG(1,("krb5_mk_req_extended failed (%s)\n", error_message(ret)));
return ADS_ERROR_KRB5(ret);
}
sock = open_udp_socket(kdc_host, DEFAULT_KPASSWD_PORT);
if (sock == -1) {
int rc = errno;
free(ap_req.data);
krb5_auth_con_free(context, auth_context);
DEBUG(1,("failed to open kpasswd socket to %s (%s)\n",
kdc_host, strerror(errno)));
return ADS_ERROR_SYSTEM(rc);
}
addr_len = sizeof(remote_addr);
getpeername(sock, &remote_addr, &addr_len);
addr_len = sizeof(local_addr);
getsockname(sock, &local_addr, &addr_len);
setup_kaddr(&remote_kaddr, &remote_addr);
setup_kaddr(&local_kaddr, &local_addr);
ret = krb5_auth_con_setaddrs(context, auth_context, &local_kaddr, NULL);
if (ret) {
close(sock);
free(ap_req.data);
krb5_auth_con_free(context, auth_context);
DEBUG(1,("krb5_auth_con_setaddrs failed (%s)\n", error_message(ret)));
return ADS_ERROR_KRB5(ret);
}
ret = build_kpasswd_request(pversion, context, auth_context, &ap_req,
princ, newpw, &chpw_req);
if (ret) {
close(sock);
free(ap_req.data);
krb5_auth_con_free(context, auth_context);
DEBUG(1,("build_setpw_request failed (%s)\n", error_message(ret)));
return ADS_ERROR_KRB5(ret);
}
if (write(sock, chpw_req.data, chpw_req.length) != chpw_req.length) {
close(sock);
free(chpw_req.data);
free(ap_req.data);
krb5_auth_con_free(context, auth_context);
DEBUG(1,("send of chpw failed (%s)\n", strerror(errno)));
return ADS_ERROR_SYSTEM(errno);
}
free(chpw_req.data);
chpw_rep.length = 1500;
chpw_rep.data = (char *) malloc(chpw_rep.length);
if (!chpw_rep.data) {
close(sock);
free(ap_req.data);
krb5_auth_con_free(context, auth_context);
DEBUG(1,("send of chpw failed (%s)\n", strerror(errno)));
errno = ENOMEM;
return ADS_ERROR_SYSTEM(errno);
}
ret = read(sock, chpw_rep.data, chpw_rep.length);
if (ret < 0) {
close(sock);
free(chpw_rep.data);
free(ap_req.data);
krb5_auth_con_free(context, auth_context);
DEBUG(1,("recv of chpw reply failed (%s)\n", strerror(errno)));
return ADS_ERROR_SYSTEM(errno);
}
close(sock);
chpw_rep.length = ret;
ret = krb5_auth_con_setaddrs(context, auth_context, NULL,&remote_kaddr);
if (ret) {
free(chpw_rep.data);
free(ap_req.data);
krb5_auth_con_free(context, auth_context);
DEBUG(1,("krb5_auth_con_setaddrs on reply failed (%s)\n",
error_message(ret)));
return ADS_ERROR_KRB5(ret);
}
ret = parse_setpw_reply(context, auth_context, &chpw_rep);
free(chpw_rep.data);
if (ret) {
free(ap_req.data);
krb5_auth_con_free(context, auth_context);
DEBUG(1,("parse_setpw_reply failed (%s)\n",
error_message(ret)));
return ADS_ERROR_KRB5(ret);
}
free(ap_req.data);
krb5_auth_con_free(context, auth_context);
return ADS_SUCCESS;
}
ADS_STATUS ads_krb5_set_password(const char *kdc_host, const char *princ,
const char *newpw, int time_offset)
{
ADS_STATUS aret;
krb5_error_code ret;
krb5_context context;
krb5_principal principal;
char *princ_name;
char *realm;
krb5_creds creds, *credsp;
krb5_ccache ccache;
ret = krb5_init_context(&context);
if (ret) {
DEBUG(1,("Failed to init krb5 context (%s)\n", error_message(ret)));
return ADS_ERROR_KRB5(ret);
}
if (time_offset != 0) {
krb5_set_real_time(context, time(NULL) + time_offset, 0);
}
ret = krb5_cc_default(context, &ccache);
if (ret) {
krb5_free_context(context);
DEBUG(1,("Failed to get default creds (%s)\n", error_message(ret)));
return ADS_ERROR_KRB5(ret);
}
ZERO_STRUCT(creds);
realm = strchr(princ, '@');
realm++;
asprintf(&princ_name, "kadmin/changepw@%s", realm);
ret = krb5_parse_name(context, princ_name, &creds.server);
if (ret) {
krb5_free_context(context);
DEBUG(1,("Failed to parse kadmin/changepw (%s)\n", error_message(ret)));
return ADS_ERROR_KRB5(ret);
}
free(princ_name);
/* parse the principal we got as a function argument */
ret = krb5_parse_name(context, princ, &principal);
if (ret) {
krb5_free_context(context);
DEBUG(1,("Failed to parse %s (%s)\n", princ_name, error_message(ret)));
return ADS_ERROR_KRB5(ret);
}
krb5_princ_set_realm(context, creds.server,
krb5_princ_realm(context, principal));
ret = krb5_cc_get_principal(context, ccache, &creds.client);
if (ret) {
krb5_free_principal(context, principal);
krb5_free_context(context);
DEBUG(1,("Failed to get principal from ccache (%s)\n",
error_message(ret)));
return ADS_ERROR_KRB5(ret);
}
ret = krb5_get_credentials(context, 0, ccache, &creds, &credsp);
if (ret) {
krb5_free_principal(context, creds.client);
krb5_free_principal(context, principal);
krb5_free_context(context);
DEBUG(1,("krb5_get_credentials failed (%s)\n", error_message(ret)));
return ADS_ERROR_KRB5(ret);
}
/* we might have to call krb5_free_creds(...) from now on ... */
aret = do_krb5_kpasswd_request(context, kdc_host,
KRB5_KPASSWD_VERS_SETPW_MS,
credsp, princ, newpw);
krb5_free_creds(context, credsp);
krb5_free_principal(context, creds.client);
krb5_free_principal(context, principal);
krb5_free_context(context);
return aret;
}
/*
we use a prompter to avoid a crash bug in the kerberos libs when
dealing with empty passwords
this prompter is just a string copy ...
*/
static krb5_error_code
kerb_prompter(krb5_context ctx, void *data,
const char *name,
const char *banner,
int num_prompts,
krb5_prompt prompts[])
{
if (num_prompts == 0) return 0;
memset(prompts[0].reply->data, 0, prompts[0].reply->length);
if (prompts[0].reply->length > 0) {
if (data) {
strncpy(prompts[0].reply->data, data, prompts[0].reply->length-1);
prompts[0].reply->length = strlen(prompts[0].reply->data);
} else {
prompts[0].reply->length = 0;
}
}
return 0;
}
static ADS_STATUS ads_krb5_chg_password(const char *kdc_host,
const char *principal,
const char *oldpw,
const char *newpw,
int time_offset)
{
ADS_STATUS aret;
krb5_error_code ret;
krb5_context context;
krb5_principal princ;
krb5_get_init_creds_opt opts;
krb5_creds creds;
char *chpw_princ = NULL, *password;
ret = krb5_init_context(&context);
if (ret) {
DEBUG(1,("Failed to init krb5 context (%s)\n", error_message(ret)));
return ADS_ERROR_KRB5(ret);
}
if ((ret = krb5_parse_name(context, principal,
&princ))) {
krb5_free_context(context);
DEBUG(1,("Failed to parse %s (%s)\n", principal, error_message(ret)));
return ADS_ERROR_KRB5(ret);
}
krb5_get_init_creds_opt_init(&opts);
krb5_get_init_creds_opt_set_tkt_life(&opts, 5*60);
krb5_get_init_creds_opt_set_renew_life(&opts, 0);
krb5_get_init_creds_opt_set_forwardable(&opts, 0);
krb5_get_init_creds_opt_set_proxiable(&opts, 0);
/* We have to obtain an INITIAL changepw ticket for changing password */
asprintf(&chpw_princ, "kadmin/changepw@%s",
(char *) krb5_princ_realm(context, princ));
password = strdup(oldpw);
ret = krb5_get_init_creds_password(context, &creds, princ, password,
kerb_prompter, NULL,
0, chpw_princ, &opts);
SAFE_FREE(chpw_princ);
SAFE_FREE(password);
if (ret) {
if (ret == KRB5KRB_AP_ERR_BAD_INTEGRITY)
DEBUG(1,("Password incorrect while getting initial ticket"));
else
DEBUG(1,("krb5_get_init_creds_password failed (%s)\n", error_message(ret)));
krb5_free_principal(context, princ);
krb5_free_context(context);
return ADS_ERROR_KRB5(ret);
}
aret = do_krb5_kpasswd_request(context, kdc_host,
KRB5_KPASSWD_VERS_CHANGEPW,
&creds, principal, newpw);
krb5_free_principal(context, princ);
krb5_free_context(context);
return aret;
}
ADS_STATUS kerberos_set_password(const char *kpasswd_server,
const char *auth_principal, const char *auth_password,
const char *target_principal, const char *new_password,
int time_offset)
{
int ret;
if ((ret = kerberos_kinit_password(auth_principal, auth_password, time_offset))) {
DEBUG(1,("Failed kinit for principal %s (%s)\n", auth_principal, error_message(ret)));
return ADS_ERROR_KRB5(ret);
}
if (!strcmp(auth_principal, target_principal))
return ads_krb5_chg_password(kpasswd_server, target_principal,
auth_password, new_password, time_offset);
else
return ads_krb5_set_password(kpasswd_server, target_principal,
new_password, time_offset);
}
/**
* Set the machine account password
* @param ads connection to ads server
* @param hostname machine whose password is being set
* @param password new password
* @return status of password change
**/
ADS_STATUS ads_set_machine_password(ADS_STRUCT *ads,
const char *machine_account,
const char *password)
{
ADS_STATUS status;
char *principal = NULL;
/*
we need to use the '$' form of the name here (the machine account name),
as otherwise the server might end up setting the password for a user
instead
*/
asprintf(&principal, "%s@%s", machine_account, ads->config.realm);
status = ads_krb5_set_password(ads->auth.kdc_server, principal,
password, ads->auth.time_offset);
free(principal);
return status;
}
#endif

2140
source/libads/ldap.c
View File

File diff suppressed because it is too large Load Diff

353
source/libads/ldap_printer.c
View File

@ -1,353 +0,0 @@
/*
Unix SMB/CIFS implementation.
ads (active directory) printer utility library
Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2002
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
*/
#include "includes.h"
#ifdef HAVE_ADS
/*
find a printer given the name and the hostname
Note that results "res" may be allocated on return so that the
results can be used. It should be freed using ads_msgfree.
*/
ADS_STATUS ads_find_printer_on_server(ADS_STRUCT *ads, void **res,
const char *printer, const char *servername)
{
ADS_STATUS status;
char *srv_dn, **srv_cn, *s;
const char *attrs[] = {"*", "nTSecurityDescriptor", NULL};
status = ads_find_machine_acct(ads, res, servername);
if (!ADS_ERR_OK(status)) {
DEBUG(1, ("ads_add_printer: cannot find host %s in ads\n",
servername));
return status;
}
srv_dn = ldap_get_dn(ads->ld, *res);
srv_cn = ldap_explode_dn(srv_dn, 1);
ads_msgfree(ads, *res);
asprintf(&s, "(cn=%s-%s)", srv_cn[0], printer);
status = ads_search(ads, res, s, attrs);
ldap_memfree(srv_dn);
ldap_value_free(srv_cn);
free(s);
return status;
}
ADS_STATUS ads_find_printers(ADS_STRUCT *ads, void **res)
{
char *ldap_expr;
const char *attrs[] = { "objectClass", "printerName", "location", "driverName",
"serverName", "description", NULL };
/* For the moment only display all printers */
ldap_expr = "(&(!(showInAdvancedViewOnly=TRUE))(uncName=*)"
"(objectCategory=printQueue))";
return ads_search(ads, res, ldap_expr, attrs);
}
/*
modify a printer entry in the directory
*/
ADS_STATUS ads_mod_printer_entry(ADS_STRUCT *ads, char *prt_dn,
TALLOC_CTX *ctx, const ADS_MODLIST *mods)
{
return ads_gen_mod(ads, prt_dn, *mods);
}
/*
add a printer to the directory
*/
ADS_STATUS ads_add_printer_entry(ADS_STRUCT *ads, char *prt_dn,
TALLOC_CTX *ctx, ADS_MODLIST *mods)
{
ads_mod_str(ctx, mods, "objectClass", "printQueue");
return ads_gen_add(ads, prt_dn, *mods);
}
/*
map a REG_SZ to an ldap mod
*/
static BOOL map_sz(TALLOC_CTX *ctx, ADS_MODLIST *mods,
const REGISTRY_VALUE *value)
{
char *str_value = NULL;
ADS_STATUS status;
if (value->type != REG_SZ)
return False;
if (value->size && SVAL(value->data_p, 0)) {
pull_ucs2_talloc(ctx, &str_value, value->data_p);
status = ads_mod_str(ctx, mods, value->valuename, str_value);
return ADS_ERR_OK(status);
}
return True;
}
/*
map a REG_DWORD to an ldap mod
*/
static BOOL map_dword(TALLOC_CTX *ctx, ADS_MODLIST *mods,
const REGISTRY_VALUE *value)
{
char *str_value = NULL;
ADS_STATUS status;
if (value->type != REG_DWORD)
return False;
str_value = talloc_asprintf(ctx, "%d", *((uint32_t *) value->data_p));
status = ads_mod_str(ctx, mods, value->valuename, str_value);
return ADS_ERR_OK(status);
}
/*
map a boolean REG_BINARY to an ldap mod
*/
static BOOL map_bool(TALLOC_CTX *ctx, ADS_MODLIST *mods,
const REGISTRY_VALUE *value)
{
char *str_value;
ADS_STATUS status;
if ((value->type != REG_BINARY) || (value->size != 1))
return False;
str_value = talloc_asprintf(ctx, "%s",
*(value->data_p) ? "TRUE" : "FALSE");
status = ads_mod_str(ctx, mods, value->valuename, str_value);
return ADS_ERR_OK(status);
}
/*
map a REG_MULTI_SZ to an ldap mod
*/
static BOOL map_multi_sz(TALLOC_CTX *ctx, ADS_MODLIST *mods,
const REGISTRY_VALUE *value)
{
char **str_values = NULL;
char *cur_str = value->data_p;
uint32_t size = 0, num_vals = 0, i=0;
ADS_STATUS status;
if (value->type != REG_MULTI_SZ)
return False;
while (cur_str && *cur_str && (size < value->size)) {
size_t this_size = utf16_len(cur_str);
cur_str += this_size;
size += this_size;
num_vals++;
};
if (num_vals) {
str_values = talloc_array(ctx, char *, num_vals + 1);
cur_str = value->data_p;
for (i=0; i < num_vals; i++) {
pull_ucs2_talloc(ctx, &str_values[i], cur_str);
cur_str += utf16_len(cur_str);
}
str_values[i] = NULL;
status = ads_mod_strlist(ctx, mods, value->valuename,
(const char **) str_values);
return ADS_ERR_OK(status);
}
return True;
}
struct valmap_to_ads {
const char *valname;
BOOL (*fn)(TALLOC_CTX *, ADS_MODLIST *, const REGISTRY_VALUE *);
};
/*
map a REG_SZ to an ldap mod
*/
static void map_regval_to_ads(TALLOC_CTX *ctx, ADS_MODLIST *mods,
REGISTRY_VALUE *value)
{
const struct valmap_to_ads map[] = {
{SPOOL_REG_ASSETNUMBER, map_sz},
{SPOOL_REG_BYTESPERMINUTE, map_dword},
{SPOOL_REG_DEFAULTPRIORITY, map_dword},
{SPOOL_REG_DESCRIPTION, map_sz},
{SPOOL_REG_DRIVERNAME, map_sz},
{SPOOL_REG_DRIVERVERSION, map_dword},
{SPOOL_REG_FLAGS, map_dword},
{SPOOL_REG_LOCATION, map_sz},
{SPOOL_REG_OPERATINGSYSTEM, map_sz},
{SPOOL_REG_OPERATINGSYSTEMHOTFIX, map_sz},
{SPOOL_REG_OPERATINGSYSTEMSERVICEPACK, map_sz},
{SPOOL_REG_OPERATINGSYSTEMVERSION, map_sz},
{SPOOL_REG_PORTNAME, map_multi_sz},
{SPOOL_REG_PRINTATTRIBUTES, map_dword},
{SPOOL_REG_PRINTBINNAMES, map_multi_sz},
{SPOOL_REG_PRINTCOLLATE, map_bool},
{SPOOL_REG_PRINTCOLOR, map_bool},
{SPOOL_REG_PRINTDUPLEXSUPPORTED, map_bool},
{SPOOL_REG_PRINTENDTIME, map_dword},
{SPOOL_REG_PRINTFORMNAME, map_sz},
{SPOOL_REG_PRINTKEEPPRINTEDJOBS, map_bool},
{SPOOL_REG_PRINTLANGUAGE, map_multi_sz},
{SPOOL_REG_PRINTMACADDRESS, map_sz},
{SPOOL_REG_PRINTMAXCOPIES, map_sz},
{SPOOL_REG_PRINTMAXRESOLUTIONSUPPORTED, map_dword},
{SPOOL_REG_PRINTMAXXEXTENT, map_dword},
{SPOOL_REG_PRINTMAXYEXTENT, map_dword},
{SPOOL_REG_PRINTMEDIAREADY, map_multi_sz},
{SPOOL_REG_PRINTMEDIASUPPORTED, map_multi_sz},
{SPOOL_REG_PRINTMEMORY, map_dword},
{SPOOL_REG_PRINTMINXEXTENT, map_dword},
{SPOOL_REG_PRINTMINYEXTENT, map_dword},
{SPOOL_REG_PRINTNETWORKADDRESS, map_sz},
{SPOOL_REG_PRINTNOTIFY, map_sz},
{SPOOL_REG_PRINTNUMBERUP, map_dword},
{SPOOL_REG_PRINTORIENTATIONSSUPPORTED, map_multi_sz},
{SPOOL_REG_PRINTOWNER, map_sz},
{SPOOL_REG_PRINTPAGESPERMINUTE, map_dword},
{SPOOL_REG_PRINTRATE, map_dword},
{SPOOL_REG_PRINTRATEUNIT, map_sz},
{SPOOL_REG_PRINTSEPARATORFILE, map_sz},
{SPOOL_REG_PRINTSHARENAME, map_sz},
{SPOOL_REG_PRINTSPOOLING, map_sz},
{SPOOL_REG_PRINTSTAPLINGSUPPORTED, map_bool},
{SPOOL_REG_PRINTSTARTTIME, map_dword},
{SPOOL_REG_PRINTSTATUS, map_sz},
{SPOOL_REG_PRIORITY, map_dword},
{SPOOL_REG_SERVERNAME, map_sz},
{SPOOL_REG_SHORTSERVERNAME, map_sz},
{SPOOL_REG_UNCNAME, map_sz},
{SPOOL_REG_URL, map_sz},
{SPOOL_REG_VERSIONNUMBER, map_dword},
{NULL, NULL}
};
int i;
for (i=0; map[i].valname; i++) {
if (strcasecmp_m(map[i].valname, value->valuename) == 0) {
if (!map[i].fn(ctx, mods, value)) {
DEBUG(5, ("Add of value %s to modlist failed\n", value->valuename));
} else {
DEBUG(7, ("Mapped value %s\n", value->valuename));
}
}
}
}
WERROR get_remote_printer_publishing_data(struct smbcli_state *cli,
TALLOC_CTX *mem_ctx,
ADS_MODLIST *mods,
const char *printer)
{
WERROR result;
char *printername, *servername;
REGVAL_CTR dsdriver_ctr, dsspooler_ctr;
BOOL got_dsdriver = False, got_dsspooler = False;
uint32_t needed, i;
POLICY_HND pol;
asprintf(&servername, "\\\\%s", cli->desthost);
asprintf(&printername, "%s\\%s", servername, printer);
if (!servername || !printername) {
DEBUG(3, ("Insufficient memory\n"));
return WERR_NOMEM;
}
result = smbcli_spoolss_open_printer_ex(cli, mem_ctx, printername,
"", MAXIMUM_ALLOWED_ACCESS,
servername, cli->user_name, &pol);
if (!W_ERROR_IS_OK(result)) {
DEBUG(3, ("Unable to open printer %s, error is %s.\n",
printername, dos_errstr(result)));
return result;
}
result = smbcli_spoolss_enumprinterdataex(cli, mem_ctx, 0, &needed,
&pol, SPOOL_DSDRIVER_KEY, NULL);
if (W_ERROR_V(result) == ERRmoredata)
result = smbcli_spoolss_enumprinterdataex(cli, mem_ctx, needed,
NULL, &pol,
SPOOL_DSDRIVER_KEY,
&dsdriver_ctr);
if (!W_ERROR_IS_OK(result)) {
DEBUG(3, ("Unable to do enumdataex on %s, error is %s.\n",
printername, dos_errstr(result)));
} else {
/* Have the data we need now, so start building */
got_dsdriver = True;
for (i=0; i < dsdriver_ctr.num_values; i++)
map_regval_to_ads(mem_ctx, mods,
dsdriver_ctr.values[i]);
}
result = smbcli_spoolss_enumprinterdataex(cli, mem_ctx, 0, &needed,
&pol, SPOOL_DSSPOOLER_KEY,
NULL);
if (W_ERROR_V(result) == ERRmoredata)
result = smbcli_spoolss_enumprinterdataex(cli, mem_ctx, needed,
NULL, &pol,
SPOOL_DSSPOOLER_KEY,
&dsspooler_ctr);
if (!W_ERROR_IS_OK(result)) {
DEBUG(3, ("Unable to do enumdataex on %s, error is %s.\n",
printername, dos_errstr(result)));
} else {
got_dsspooler = True;
for (i=0; i < dsspooler_ctr.num_values; i++)
map_regval_to_ads(mem_ctx, mods,
dsspooler_ctr.values[i]);
}
ads_mod_str(mem_ctx, mods, SPOOL_REG_PRINTERNAME, printer);
if (got_dsdriver) regval_ctr_destroy(&dsdriver_ctr);
if (got_dsspooler) regval_ctr_destroy(&dsspooler_ctr);
smbcli_spoolss_close_printer(cli, mem_ctx, &pol);
return result;
}
BOOL get_local_printer_publishing_data(TALLOC_CTX *mem_ctx,
ADS_MODLIST *mods,
NT_PRINTER_DATA *data)
{
uint32_t key,val;
for (key=0; key < data->num_keys; key++) {
REGVAL_CTR ctr = data->keys[key].values;
for (val=0; val < ctr.num_values; val++)
map_regval_to_ads(mem_ctx, mods, ctr.values[val]);
}
return True;
}
#endif

119
source/libads/ldap_user.c
View File

@ -1,119 +0,0 @@
/*
Unix SMB/CIFS implementation.
ads (active directory) utility library
Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2002
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
*/
#include "includes.h"
#ifdef HAVE_ADS
/*
find a user account
*/
ADS_STATUS ads_find_user_acct(ADS_STRUCT *ads, void **res, const char *user)
{
ADS_STATUS status;
char *ldap_exp;
const char *attrs[] = {"*", NULL};
char *escaped_user = escape_ldap_string_alloc(user);
if (!escaped_user) {
return ADS_ERROR(LDAP_NO_MEMORY);
}
asprintf(&ldap_exp, "(samAccountName=%s)", escaped_user);
status = ads_search(ads, res, ldap_exp, attrs);
SAFE_FREE(ldap_exp);
SAFE_FREE(escaped_user);
return status;
}
ADS_STATUS ads_add_user_acct(ADS_STRUCT *ads, const char *user,
const char *container, const char *fullname)
{
TALLOC_CTX *ctx;
ADS_MODLIST mods;
ADS_STATUS status;
const char *upn, *new_dn, *name, *controlstr;
const char *objectClass[] = {"top", "person", "organizationalPerson",
"user", NULL};
if (fullname && *fullname) name = fullname;
else name = user;
if (!(ctx = talloc_init("ads_add_user_acct")))
return ADS_ERROR(LDAP_NO_MEMORY);
status = ADS_ERROR(LDAP_NO_MEMORY);
if (!(upn = talloc_asprintf(ctx, "%s@%s", user, ads->config.realm)))
goto done;
if (!(new_dn = talloc_asprintf(ctx, "cn=%s,%s,%s", name, container,
ads->config.bind_path)))
goto done;
if (!(controlstr = talloc_asprintf(ctx, "%u", UF_NORMAL_ACCOUNT)))
goto done;
if (!(mods = ads_init_mods(ctx)))
goto done;
ads_mod_str(ctx, &mods, "cn", name);
ads_mod_strlist(ctx, &mods, "objectClass", objectClass);
ads_mod_str(ctx, &mods, "userPrincipalName", upn);
ads_mod_str(ctx, &mods, "name", name);
ads_mod_str(ctx, &mods, "displayName", name);
ads_mod_str(ctx, &mods, "sAMAccountName", user);
ads_mod_str(ctx, &mods, "userAccountControl", controlstr);
status = ads_gen_add(ads, new_dn, mods);
done:
talloc_free(ctx);
return status;
}
ADS_STATUS ads_add_group_acct(ADS_STRUCT *ads, const char *group,
const char *container, const char *comment)
{
TALLOC_CTX *ctx;
ADS_MODLIST mods;
ADS_STATUS status;
char *new_dn;
const char *objectClass[] = {"top", "group", NULL};
if (!(ctx = talloc_init("ads_add_group_acct")))
return ADS_ERROR(LDAP_NO_MEMORY);
status = ADS_ERROR(LDAP_NO_MEMORY);
if (!(new_dn = talloc_asprintf(ctx, "cn=%s,%s,%s", group, container,
ads->config.bind_path)))
goto done;
if (!(mods = ads_init_mods(ctx)))
goto done;
ads_mod_str(ctx, &mods, "cn", group);
ads_mod_strlist(ctx, &mods, "objectClass",objectClass);
ads_mod_str(ctx, &mods, "name", group);
if (comment && *comment)
ads_mod_str(ctx, &mods, "description", comment);
ads_mod_str(ctx, &mods, "sAMAccountName", group);
status = ads_gen_add(ads, new_dn, mods);
done:
talloc_free(ctx);
return status;
}
#endif

108
source/libads/ldap_utils.c
View File

@ -1,108 +0,0 @@
/*
Unix SMB/CIFS implementation.
Some Helpful wrappers on LDAP
Copyright (C) Andrew Tridgell 2001
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
*/
#include "includes.h"
#ifdef HAVE_LDAP
/*
a wrapper around ldap_search_s that retries depending on the error code
this is supposed to catch dropped connections and auto-reconnect
*/
ADS_STATUS ads_do_search_retry(ADS_STRUCT *ads, const char *bind_path, int scope,
const char *expr,
const char **attrs, void **res)
{
ADS_STATUS status;
int count = 3;
char *bp;
*res = NULL;
if (!ads->ld &&
time(NULL) - ads->last_attempt < ADS_RECONNECT_TIME) {
return ADS_ERROR(LDAP_SERVER_DOWN);
}
bp = strdup(bind_path);
if (!bp) {
return ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
}
while (count--) {
*res = NULL;
status = ads_do_search_all(ads, bp, scope, expr, attrs, res);
if (ADS_ERR_OK(status)) {
DEBUG(5,("Search for %s gave %d replies\n",
expr, ads_count_replies(ads, *res)));
SAFE_FREE(bp);
return status;
}
if (*res)
ads_msgfree(ads, *res);
*res = NULL;
DEBUG(3,("Reopening ads connection to realm '%s' after error %s\n",
ads->config.realm, ads_errstr(status)));
if (ads->ld) {
ldap_unbind(ads->ld);
}
ads->ld = NULL;
status = ads_connect(ads);
if (!ADS_ERR_OK(status)) {
DEBUG(1,("ads_search_retry: failed to reconnect (%s)\n",
ads_errstr(status)));
ads_destroy(&ads);
SAFE_FREE(bp);
return status;
}
}
SAFE_FREE(bp);
if (!ADS_ERR_OK(status))
DEBUG(1,("ads reopen failed after error %s\n",
ads_errstr(status)));
return status;
}
ADS_STATUS ads_search_retry(ADS_STRUCT *ads, void **res,
const char *expr,
const char **attrs)
{
return ads_do_search_retry(ads, ads->config.bind_path, LDAP_SCOPE_SUBTREE,
expr, attrs, res);
}
ADS_STATUS ads_search_retry_dn(ADS_STRUCT *ads, void **res,
const char *dn,
const char **attrs)
{
return ads_do_search_retry(ads, dn, LDAP_SCOPE_BASE,
"(objectclass=*)", attrs, res);
}
#endif

438
source/libads/sasl.c
View File

@ -1,438 +0,0 @@
/*
Unix SMB/CIFS implementation.
ads sasl code
Copyright (C) Andrew Tridgell 2001
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
*/
#include "includes.h"
#ifdef HAVE_LDAP
/*
perform a LDAP/SASL/SPNEGO/NTLMSSP bind (just how many layers can
we fit on one socket??)
*/
static ADS_STATUS ads_sasl_spnego_ntlmssp_bind(ADS_STRUCT *ads)
{
const char *mechs[] = {OID_NTLMSSP, NULL};
DATA_BLOB msg1;
DATA_BLOB blob, chal1, chal2, auth;
uint8_t challenge[8];
uint8_t nthash[24], lmhash[24], sess_key[16];
uint32_t neg_flags;
struct berval cred, *scred;
ADS_STATUS status;
int rc;
if (!ads->auth.password) {
/* No password, don't segfault below... */
return ADS_ERROR_NT(NT_STATUS_LOGON_FAILURE);
}
neg_flags = NTLMSSP_NEGOTIATE_UNICODE |
NTLMSSP_NEGOTIATE_128 |
NTLMSSP_NEGOTIATE_NTLM;
memset(sess_key, 0, 16);
/* generate the ntlmssp negotiate packet */
msrpc_gen(&blob, "CddB",
"NTLMSSP",
NTLMSSP_NEGOTIATE,
neg_flags,
sess_key, 16);
/* and wrap it in a SPNEGO wrapper */
msg1 = gen_negTokenTarg(mechs, blob);
data_blob_free(&blob);
cred.bv_val = (char *)msg1.data;
cred.bv_len = msg1.length;
rc = ldap_sasl_bind_s(ads->ld, NULL, "GSS-SPNEGO", &cred, NULL, NULL, &scred);
if (rc != LDAP_SASL_BIND_IN_PROGRESS) {
status = ADS_ERROR(rc);
goto failed;
}
blob = data_blob(scred->bv_val, scred->bv_len);
/* the server gives us back two challenges */
if (!spnego_parse_challenge(blob, &chal1, &chal2)) {
DEBUG(3,("Failed to parse challenges\n"));
status = ADS_ERROR(LDAP_OPERATIONS_ERROR);
goto failed;
}
data_blob_free(&blob);
/* encrypt the password with the challenge */
memcpy(challenge, chal1.data + 24, 8);
SMBencrypt(ads->auth.password, challenge,lmhash);
SMBNTencrypt(ads->auth.password, challenge,nthash);
data_blob_free(&chal1);
data_blob_free(&chal2);
/* this generates the actual auth packet */
msrpc_gen(&blob, "CdBBUUUBd",
"NTLMSSP",
NTLMSSP_AUTH,
lmhash, 24,
nthash, 24,
lp_workgroup(),
ads->auth.user_name,
lp_netbios_name(),
sess_key, 16,
neg_flags);
/* wrap it in SPNEGO */
auth = spnego_gen_auth(blob);
data_blob_free(&blob);
/* now send the auth packet and we should be done */
cred.bv_val = (char *)auth.data;
cred.bv_len = auth.length;
rc = ldap_sasl_bind_s(ads->ld, NULL, "GSS-SPNEGO", &cred, NULL, NULL, &scred);
return ADS_ERROR(rc);
failed:
return status;
}
/*
perform a LDAP/SASL/SPNEGO/KRB5 bind
*/
static ADS_STATUS ads_sasl_spnego_krb5_bind(ADS_STRUCT *ads, const char *principal)
{
DATA_BLOB blob;
struct berval cred, *scred;
DATA_BLOB session_key;
int rc;
rc = spnego_gen_negTokenTarg(principal, ads->auth.time_offset, &blob, &session_key);
if (rc) {
return ADS_ERROR_KRB5(rc);
}
/* now send the auth packet and we should be done */
cred.bv_val = (char *)blob.data;
cred.bv_len = blob.length;
rc = ldap_sasl_bind_s(ads->ld, NULL, "GSS-SPNEGO", &cred, NULL, NULL, &scred);
data_blob_free(&blob);
data_blob_free(&session_key);
return ADS_ERROR(rc);
}
/*
this performs a SASL/SPNEGO bind
*/
static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
{
struct berval *scred=NULL;
int rc, i;
ADS_STATUS status;
DATA_BLOB blob;
char *principal;
char *OIDs[ASN1_MAX_OIDS];
BOOL got_kerberos_mechanism = False;
rc = ldap_sasl_bind_s(ads->ld, NULL, "GSS-SPNEGO", NULL, NULL, NULL, &scred);
if (rc != LDAP_SASL_BIND_IN_PROGRESS) {
status = ADS_ERROR(rc);
goto failed;
}
blob = data_blob(scred->bv_val, scred->bv_len);
ber_bvfree(scred);
#if 0
file_save("sasl_spnego.dat", blob.data, blob.length);
#endif
/* the server sent us the first part of the SPNEGO exchange in the negprot
reply */
if (!spnego_parse_negTokenInit(blob, OIDs, &principal)) {
data_blob_free(&blob);
status = ADS_ERROR(LDAP_OPERATIONS_ERROR);
goto failed;
}
data_blob_free(&blob);
/* make sure the server understands kerberos */
for (i=0;OIDs[i];i++) {
DEBUG(3,("got OID=%s\n", OIDs[i]));
if (strcmp(OIDs[i], OID_KERBEROS5_OLD) == 0 ||
strcmp(OIDs[i], OID_KERBEROS5) == 0) {
got_kerberos_mechanism = True;
}
free(OIDs[i]);
}
DEBUG(3,("got principal=%s\n", principal));
#ifdef HAVE_KRB5
if (!(ads->auth.flags & ADS_AUTH_DISABLE_KERBEROS) &&
got_kerberos_mechanism) {
status = ads_sasl_spnego_krb5_bind(ads, principal);
if (ADS_ERR_OK(status))
return status;
status = ADS_ERROR_KRB5(ads_kinit_password(ads));
if (ADS_ERR_OK(status)) {
status = ads_sasl_spnego_krb5_bind(ads, principal);
}
/* only fallback to NTLMSSP if allowed */
if (ADS_ERR_OK(status) ||
!(ads->auth.flags & ADS_AUTH_ALLOW_NTLMSSP)) {
return status;
}
}
#endif
/* lets do NTLMSSP ... this has the big advantage that we don't need
to sync clocks, and we don't rely on special versions of the krb5
library for HMAC_MD4 encryption */
return ads_sasl_spnego_ntlmssp_bind(ads);
failed:
return status;
}
#ifdef HAVE_GSSAPI
#define MAX_GSS_PASSES 3
/* this performs a SASL/gssapi bind
we avoid using cyrus-sasl to make Samba more robust. cyrus-sasl
is very dependent on correctly configured DNS whereas
this routine is much less fragile
see RFC2078 and RFC2222 for details
*/
static ADS_STATUS ads_sasl_gssapi_bind(ADS_STRUCT *ads)
{
uint32_t minor_status;
gss_name_t serv_name;
gss_buffer_desc input_name;
gss_ctx_id_t context_handle;
gss_OID mech_type = GSS_C_NULL_OID;
gss_buffer_desc output_token, input_token;
uint32_t ret_flags, conf_state;
struct berval cred;
struct berval *scred;
int i=0;
int gss_rc, rc;
uint8_t *p;
uint32_t max_msg_size;
char *sname;
uint_t sec_layer;
ADS_STATUS status;
krb5_principal principal;
krb5_context ctx;
krb5_enctype enc_types[] = {
#ifdef ENCTYPE_ARCFOUR_HMAC
ENCTYPE_ARCFOUR_HMAC,
#endif
ENCTYPE_DES_CBC_MD5,
ENCTYPE_NULL};
gss_OID_desc nt_principal =
{10, "\052\206\110\206\367\022\001\002\002\002"};
/* we need to fetch a service ticket as the ldap user in the
servers realm, regardless of our realm */
asprintf(&sname, "ldap/%s@%s", ads->config.ldap_server_name, ads->config.realm);
krb5_init_context(&ctx);
krb5_set_default_tgs_ktypes(ctx, enc_types);
krb5_parse_name(ctx, sname, &principal);
free(sname);
krb5_free_context(ctx);
input_name.value = &principal;
input_name.length = sizeof(principal);
gss_rc = gss_import_name(&minor_status,&input_name,&nt_principal, &serv_name);
if (gss_rc) {
return ADS_ERROR_GSS(gss_rc, minor_status);
}
context_handle = GSS_C_NO_CONTEXT;
input_token.value = NULL;
input_token.length = 0;
for (i=0; i < MAX_GSS_PASSES; i++) {
gss_rc = gss_init_sec_context(&minor_status,
GSS_C_NO_CREDENTIAL,
&context_handle,
serv_name,
mech_type,
GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG,
0,
NULL,
&input_token,
NULL,
&output_token,
&ret_flags,
NULL);
if (input_token.value) {
gss_release_buffer(&minor_status, &input_token);
}
if (gss_rc && gss_rc != GSS_S_CONTINUE_NEEDED) {
status = ADS_ERROR_GSS(gss_rc, minor_status);
goto failed;
}
cred.bv_val = output_token.value;
cred.bv_len = output_token.length;
rc = ldap_sasl_bind_s(ads->ld, NULL, "GSSAPI", &cred, NULL, NULL,
&scred);
if (rc != LDAP_SASL_BIND_IN_PROGRESS) {
status = ADS_ERROR(rc);
goto failed;
}
if (output_token.value) {
gss_release_buffer(&minor_status, &output_token);
}
if (scred) {
input_token.value = scred->bv_val;
input_token.length = scred->bv_len;
} else {
input_token.value = NULL;
input_token.length = 0;
}
if (gss_rc == 0) break;
}
gss_release_name(&minor_status, &serv_name);
gss_rc = gss_unwrap(&minor_status,context_handle,&input_token,&output_token,
(int *)&conf_state,NULL);
if (gss_rc) {
status = ADS_ERROR_GSS(gss_rc, minor_status);
goto failed;
}
gss_release_buffer(&minor_status, &input_token);
p = (uint8_t *)output_token.value;
file_save("sasl_gssapi.dat", output_token.value, output_token.length);
max_msg_size = (p[1]<<16) | (p[2]<<8) | p[3];
sec_layer = *p;
gss_release_buffer(&minor_status, &output_token);
output_token.value = malloc(strlen(ads->config.bind_path) + 8);
p = output_token.value;
*p++ = 1; /* no sign & seal selection */
/* choose the same size as the server gave us */
*p++ = max_msg_size>>16;
*p++ = max_msg_size>>8;
*p++ = max_msg_size;
snprintf((char *)p, strlen(ads->config.bind_path)+4, "dn:%s", ads->config.bind_path);
p += strlen((const char *)p);
output_token.length = PTR_DIFF(p, output_token.value);
gss_rc = gss_wrap(&minor_status, context_handle,0,GSS_C_QOP_DEFAULT,
&output_token, (int *)&conf_state,
&input_token);
if (gss_rc) {
status = ADS_ERROR_GSS(gss_rc, minor_status);
goto failed;
}
free(output_token.value);
cred.bv_val = input_token.value;
cred.bv_len = input_token.length;
rc = ldap_sasl_bind_s(ads->ld, NULL, "GSSAPI", &cred, NULL, NULL,
&scred);
status = ADS_ERROR(rc);
gss_release_buffer(&minor_status, &input_token);
failed:
return status;
}
#endif
/* mapping between SASL mechanisms and functions */
static struct {
const char *name;
ADS_STATUS (*fn)(ADS_STRUCT *);
} sasl_mechanisms[] = {
{"GSS-SPNEGO", ads_sasl_spnego_bind},
#ifdef HAVE_GSSAPI
{"GSSAPI", ads_sasl_gssapi_bind}, /* doesn't work with .NET RC1. No idea why */
#endif
{NULL, NULL}
};
ADS_STATUS ads_sasl_bind(ADS_STRUCT *ads)
{
const char *attrs[] = {"supportedSASLMechanisms", NULL};
char **values;
ADS_STATUS status;
int i, j;
void *res;
/* get a list of supported SASL mechanisms */
status = ads_do_search(ads, "", LDAP_SCOPE_BASE, "(objectclass=*)", attrs, &res);
if (!ADS_ERR_OK(status)) return status;
values = ldap_get_values(ads->ld, res, "supportedSASLMechanisms");
/* try our supported mechanisms in order */
for (i=0;sasl_mechanisms[i].name;i++) {
/* see if the server supports it */
for (j=0;values && values[j];j++) {
if (strcmp(values[j], sasl_mechanisms[i].name) == 0) {
DEBUG(4,("Found SASL mechanism %s\n", values[j]));
status = sasl_mechanisms[i].fn(ads);
ldap_value_free(values);
ldap_msgfree(res);
return status;
}
}
}
ldap_value_free(values);
ldap_msgfree(res);
return ADS_ERROR(LDAP_AUTH_METHOD_NOT_SUPPORTED);
}
#endif

67
source/libads/util.c
View File

@ -1,67 +0,0 @@
/*
Unix SMB/CIFS implementation.
krb5 set password implementation
Copyright (C) Remus Koos 2001 (remuskoos@yahoo.com)
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
*/
#include "includes.h"
#ifdef HAVE_KRB5
ADS_STATUS ads_change_trust_account_password(ADS_STRUCT *ads, char *host_principal)
{
char *tmp_password;
char *password;
char *new_password;
char *service_principal = NULL;
ADS_STATUS ret;
uint32_t sec_channel_type;
if ((password = secrets_fetch_machine_password(lp_workgroup(), NULL, &sec_channel_type)) == NULL) {
DEBUG(1,("Failed to retrieve password for principal %s\n", host_principal));
return ADS_ERROR_SYSTEM(ENOENT);
}
tmp_password = generate_random_str(DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH);
new_password = strdup(tmp_password);
asprintf(&service_principal, "HOST/%s", host_principal);
if (!service_principal) {
DEBUG(1,("asprintf() failed principal %s\n", host_principal));
return ADS_ERROR_SYSTEM(ENOMEM);
}
ret = kerberos_set_password(ads->auth.kdc_server, service_principal, password, service_principal, new_password, ads->auth.time_offset);
if (!ADS_ERR_OK(ret)) goto failed;
if (!secrets_store_machine_password(new_password, lp_workgroup(), sec_channel_type)) {
DEBUG(1,("Failed to save machine password\n"));
return ADS_ERROR_SYSTEM(EACCES);
}
failed:
SAFE_FREE(service_principal);
SAFE_FREE(new_password);
return ret;
}
#endif