s3: avoid global include of ads.h.

Guenther

libgpo/gpo.h

@@ -24,6 +24,7 @@
 #include "source4/libgpo/ads_convenience.h"
 #else
 struct loadparm_context;
+#include "ads.h"
 #endif
 
 enum GPO_LINK_TYPE {

source3/Makefile.in

@@ -456,7 +456,9 @@ LIBGPO_OBJ = $(LIBGPO_OBJ0)
 
 LIBADS_OBJ = libads/ldap.o libads/ldap_printer.o \
 	     libads/sasl.o libads/sasl_wrapping.o \
-	     libads/krb5_setpw.o libads/ldap_user.o \
+	     libads/krb5_setpw.o \
+	     libads/kerberos_util.o \
+	     libads/ldap_user.o \
 	     libads/ads_struct.o libads/kerberos_keytab.o \
              libads/disp_sec.o libads/ads_utils.o libads/ldap_utils.o \
 	     libads/ldap_schema.o libads/util.o libads/ndr.o

source3/include/ads.h

@@ -148,6 +148,12 @@ typedef struct {
 	int critical;
 } ads_control;
 
-#define ADS_IGNORE_PRINCIPAL "not_defined_in_RFC4178@please_ignore"
+#include "libads/ads_proto.h"
+
+#ifdef HAVE_LDAP
+#include "libads/ads_ldap_protos.h"
+#endif
+
+#include "libads/kerberos_proto.h"
 
 #endif	/* _INCLUDE_ADS_H_ */

source3/include/includes.h

@@ -628,7 +628,6 @@ extern void *cmdline_lp_ctx;
 
 #include "krb5_env.h"
 #include "libads/ads_status.h"
-#include "ads.h"
 #include "interfaces.h"
 #include "trans2.h"
 #include "../libcli/util/error.h"
@@ -736,10 +735,6 @@ enum flush_reason_enum {
 #include "modules/vfs_irixacl.h"
 #endif
 
-#ifdef HAVE_LDAP
-#include "libads/ads_ldap_protos.h"
-#endif
-
 /* We need this after proto.h to reference GetTimeOfDay(). */
 #include "smbprofile.h"
 

source3/include/proto.h

@@ -1727,244 +1727,6 @@ void wins_srv_tags_free(char **list);
 struct in_addr wins_srv_ip_tag(const char *tag, struct in_addr src_ip);
 unsigned wins_srv_count_tag(const char *tag);
 
-/* The following definitions come from libads/ads_struct.c  */
-
-char *ads_build_path(const char *realm, const char *sep, const char *field, int reverse);
-char *ads_build_dn(const char *realm);
-char *ads_build_domain(const char *dn);
-ADS_STRUCT *ads_init(const char *realm, 
-		     const char *workgroup,
-		     const char *ldap_server);
-bool ads_set_sasl_wrap_flags(ADS_STRUCT *ads, int flags);
-void ads_destroy(ADS_STRUCT **ads);
-
-const char *ads_get_ldap_server_name(ADS_STRUCT *ads);
-
-/* The following definitions come from libads/authdata.c  */
-
-NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
-			     const char *name,
-			     const char *pass,
-			     time_t time_offset,
-			     time_t *expire_time,
-			     time_t *renew_till_time,
-			     const char *cache_name,
-			     bool request_pac,
-			     bool add_netbios_addr,
-			     time_t renewable_time,
-			     const char *impersonate_princ_s,
-			     struct PAC_LOGON_INFO **logon_info);
-
-/* The following definitions come from libads/disp_sec.c  */
-
-void ads_disp_sd(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, struct security_descriptor *sd);
-
-/* The following definitions come from libads/kerberos.c  */
-
-int kerberos_kinit_password_ext(const char *principal,
-				const char *password,
-				int time_offset,
-				time_t *expire_time,
-				time_t *renew_till_time,
-				const char *cache_name,
-				bool request_pac,
-				bool add_netbios_addr,
-				time_t renewable_time,
-				NTSTATUS *ntstatus);
-int ads_kinit_password(ADS_STRUCT *ads);
-int ads_kdestroy(const char *cc_name);
-char* kerberos_standard_des_salt( void );
-bool kerberos_secrets_store_des_salt( const char* salt );
-char* kerberos_secrets_fetch_des_salt( void );
-char *kerberos_get_default_realm_from_ccache( void );
-char *kerberos_get_realm_from_hostname(const char *hostname);
-
-bool kerberos_secrets_store_salting_principal(const char *service,
-					      int enctype,
-					      const char *principal);
-int kerberos_kinit_password(const char *principal,
-			    const char *password,
-			    int time_offset,
-			    const char *cache_name);
-bool create_local_private_krb5_conf_for_domain(const char *realm,
-						const char *domain,
-						const char *sitename,
-						struct sockaddr_storage *pss,
-						const char *kdc_name);
-
-/* The following definitions come from libads/kerberos_keytab.c  */
-
-int ads_keytab_add_entry(ADS_STRUCT *ads, const char *srvPrinc);
-int ads_keytab_flush(ADS_STRUCT *ads);
-int ads_keytab_create_default(ADS_STRUCT *ads);
-int ads_keytab_list(const char *keytab_name);
-
-/* The following definitions come from libads/kerberos_verify.c  */
-
-NTSTATUS ads_verify_ticket(TALLOC_CTX *mem_ctx,
-			   const char *realm,
-			   time_t time_offset,
-			   const DATA_BLOB *ticket,
-			   char **principal,
-			   struct PAC_LOGON_INFO **logon_info,
-			   DATA_BLOB *ap_rep,
-			   DATA_BLOB *session_key,
-			   bool use_replay_cache);
-
-/* The following definitions come from libads/krb5_errs.c  */
-
-
-/* The following definitions come from libads/krb5_setpw.c  */
-
-ADS_STATUS ads_krb5_set_password(const char *kdc_host, const char *princ, 
-				 const char *newpw, int time_offset);
-ADS_STATUS kerberos_set_password(const char *kpasswd_server, 
-				 const char *auth_principal, const char *auth_password,
-				 const char *target_principal, const char *new_password,
-				 int time_offset);
-ADS_STATUS ads_set_machine_password(ADS_STRUCT *ads,
-				    const char *machine_account,
-				    const char *password);
-
-/* The following definitions come from libads/ldap.c  */
-
-bool ads_sitename_match(ADS_STRUCT *ads);
-bool ads_closest_dc(ADS_STRUCT *ads);
-ADS_STATUS ads_connect(ADS_STRUCT *ads);
-ADS_STATUS ads_connect_user_creds(ADS_STRUCT *ads);
-ADS_STATUS ads_connect_gc(ADS_STRUCT *ads);
-void ads_disconnect(ADS_STRUCT *ads);
-ADS_STATUS ads_do_search_all_fn(ADS_STRUCT *ads, const char *bind_path,
-				int scope, const char *expr, const char **attrs,
-				bool (*fn)(ADS_STRUCT *, char *, void **, void *), 
-				void *data_area);
-char *ads_parent_dn(const char *dn);
-ADS_MODLIST ads_init_mods(TALLOC_CTX *ctx);
-ADS_STATUS ads_mod_str(TALLOC_CTX *ctx, ADS_MODLIST *mods, 
-		       const char *name, const char *val);
-ADS_STATUS ads_mod_strlist(TALLOC_CTX *ctx, ADS_MODLIST *mods,
-			   const char *name, const char **vals);
-ADS_STATUS ads_gen_mod(ADS_STRUCT *ads, const char *mod_dn, ADS_MODLIST mods);
-ADS_STATUS ads_gen_add(ADS_STRUCT *ads, const char *new_dn, ADS_MODLIST mods);
-ADS_STATUS ads_del_dn(ADS_STRUCT *ads, char *del_dn);
-char *ads_ou_string(ADS_STRUCT *ads, const char *org_unit);
-char *ads_default_ou_string(ADS_STRUCT *ads, const char *wknguid);
-ADS_STATUS ads_add_strlist(TALLOC_CTX *ctx, ADS_MODLIST *mods,
-				const char *name, const char **vals);
-uint32 ads_get_kvno(ADS_STRUCT *ads, const char *account_name);
-uint32_t ads_get_machine_kvno(ADS_STRUCT *ads, const char *machine_name);
-ADS_STATUS ads_clear_service_principal_names(ADS_STRUCT *ads, const char *machine_name);
-ADS_STATUS ads_add_service_principal_name(ADS_STRUCT *ads, const char *machine_name, 
-                                          const char *my_fqdn, const char *spn);
-ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads, const char *machine_name, 
-                                   const char *org_unit);
-ADS_STATUS ads_move_machine_acct(ADS_STRUCT *ads, const char *machine_name, 
-                                 const char *org_unit, bool *moved);
-int ads_count_replies(ADS_STRUCT *ads, void *res);
-ADS_STATUS ads_USN(ADS_STRUCT *ads, uint32 *usn);
-ADS_STATUS ads_current_time(ADS_STRUCT *ads);
-ADS_STATUS ads_domain_func_level(ADS_STRUCT *ads, uint32 *val);
-ADS_STATUS ads_domain_sid(ADS_STRUCT *ads, struct dom_sid *sid);
-ADS_STATUS ads_site_dn(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, const char **site_name);
-ADS_STATUS ads_site_dn_for_machine(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, const char *computer_name, const char **site_dn);
-ADS_STATUS ads_upn_suffixes(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, char ***suffixes, size_t *num_suffixes);
-ADS_STATUS ads_get_joinable_ous(ADS_STRUCT *ads,
-				TALLOC_CTX *mem_ctx,
-				char ***ous,
-				size_t *num_ous);
-ADS_STATUS ads_get_sid_from_extended_dn(TALLOC_CTX *mem_ctx,
-					const char *extended_dn,
-					enum ads_extended_dn_flags flags,
-					struct dom_sid *sid);
-char* ads_get_dnshostname( ADS_STRUCT *ads, TALLOC_CTX *ctx, const char *machine_name );
-char* ads_get_upn( ADS_STRUCT *ads, TALLOC_CTX *ctx, const char *machine_name );
-char* ads_get_samaccountname( ADS_STRUCT *ads, TALLOC_CTX *ctx, const char *machine_name );
-ADS_STATUS ads_join_realm(ADS_STRUCT *ads, const char *machine_name,
-			uint32 account_type, const char *org_unit);
-ADS_STATUS ads_leave_realm(ADS_STRUCT *ads, const char *hostname);
-ADS_STATUS ads_find_samaccount(ADS_STRUCT *ads,
-			       TALLOC_CTX *mem_ctx,
-			       const char *samaccountname,
-			       uint32 *uac_ret,
-			       const char **dn_ret);
-ADS_STATUS ads_config_path(ADS_STRUCT *ads, 
-			   TALLOC_CTX *mem_ctx, 
-			   char **config_path);
-const char *ads_get_extended_right_name_by_guid(ADS_STRUCT *ads, 
-						const char *config_path, 
-						TALLOC_CTX *mem_ctx, 
-						const struct GUID *rights_guid);
-ADS_STATUS ads_check_ou_dn(TALLOC_CTX *mem_ctx,
-			   ADS_STRUCT *ads,
-			   const char **account_ou);
-
-/* The following definitions come from libads/ldap_printer.c  */
-
-ADS_STATUS ads_mod_printer_entry(ADS_STRUCT *ads, char *prt_dn,
-				 TALLOC_CTX *ctx, const ADS_MODLIST *mods);
-ADS_STATUS ads_add_printer_entry(ADS_STRUCT *ads, char *prt_dn,
-					TALLOC_CTX *ctx, ADS_MODLIST *mods);
-WERROR get_remote_printer_publishing_data(struct rpc_pipe_client *cli, 
-					  TALLOC_CTX *mem_ctx,
-					  ADS_MODLIST *mods,
-					  const char *printer);
-
-/* The following definitions come from libads/ldap_user.c  */
-
-ADS_STATUS ads_add_user_acct(ADS_STRUCT *ads, const char *user, 
-			     const char *container, const char *fullname);
-ADS_STATUS ads_add_group_acct(ADS_STRUCT *ads, const char *group, 
-			      const char *container, const char *comment);
-
-/* The following definitions come from libads/ldap_utils.c  */
-
-ADS_STATUS ads_ranged_search(ADS_STRUCT *ads, 
-			     TALLOC_CTX *mem_ctx,
-			     int scope,
-			     const char *base,
-			     const char *filter,
-			     void *args,
-			     const char *range_attr,
-			     char ***strings,
-			     size_t *num_strings);
-ADS_STATUS ads_ranged_search_internal(ADS_STRUCT *ads, 
-				      TALLOC_CTX *mem_ctx,
-				      int scope,
-				      const char *base,
-				      const char *filter,
-				      const char **attrs,
-				      void *args,
-				      const char *range_attr,
-				      char ***strings,
-				      size_t *num_strings,
-				      uint32 *first_usn,
-				      int *num_retries,
-				      bool *more_values);
-
-/* The following definitions come from libads/ndr.c  */
-
-void ndr_print_ads_auth_flags(struct ndr_print *ndr, const char *name, uint32_t r);
-void ndr_print_ads_struct(struct ndr_print *ndr, const char *name, const struct ads_struct *r);
-
-/* The following definitions come from libads/sasl.c  */
-
-ADS_STATUS ads_sasl_bind(ADS_STRUCT *ads);
-
-/* The following definitions come from libads/sasl_wrapping.c  */
-
-ADS_STATUS ads_setup_sasl_wrapping(ADS_STRUCT *ads,
-				   const struct ads_saslwrap_ops *ops,
-				   void *private_data);
-ADS_STATUS ads_setup_sasl_wrapping(ADS_STRUCT *ads,
-				   const struct ads_saslwrap_ops *ops,
-				   void *private_data);
-
-/* The following definitions come from libads/util.c  */
-
-ADS_STATUS ads_change_trust_account_password(ADS_STRUCT *ads, char *host_principal);
-ADS_STATUS ads_guess_service_principal(ADS_STRUCT *ads,
-				       char **returned_principal);
-
 /* The following definitions come from librpc/ndr/util.c  */
 
 enum ndr_err_code ndr_push_server_id(struct ndr_push *ndr, int ndr_flags, const struct server_id *r);

source3/include/smb_krb5.h

@@ -4,6 +4,8 @@
 #define KRB5_PRIVATE    1       /* this file uses PRIVATE interfaces! */
 /* this file uses DEPRECATED interfaces! */
 
+#define ADS_IGNORE_PRINCIPAL "not_defined_in_RFC4178@please_ignore"
+
 #if defined(HAVE_KRB5_DEPRECATED_WITH_IDENTIFIER)
 #define KRB5_DEPRECATED 1
 #else

source3/include/smbldap.h

@@ -247,4 +247,10 @@ struct ldapsam_privates;
 #define LDAP_CONNECTION_DEFAULT_TIMEOUT 2
 #define LDAP_PAGE_SIZE 1024
 
+#ifndef LDAP_OPT_SUCCESS
+#define LDAP_OPT_SUCCESS 0
+#endif
+
+#define ADS_PAGE_CTL_OID 	"1.2.840.113556.1.4.319"
+
 #endif	/* _SMBLDAP_H */

source3/lib/netapi/joindomain.c

@@ -18,7 +18,7 @@
  */
 
 #include "includes.h"
-
+#include "ads.h"
 #include "librpc/gen_ndr/libnetapi.h"
 #include "lib/netapi/netapi.h"
 #include "lib/netapi/netapi_private.h"

source3/lib/smbldap.c

@@ -25,10 +25,6 @@
 #include "includes.h"
 #include "smbldap.h"
 
-#ifndef LDAP_OPT_SUCCESS
-#define LDAP_OPT_SUCCESS 0
-#endif
-
 /* Try not to hit the up or down server forever */
 
 #define SMBLDAP_DONT_PING_TIME 10	/* ping only all 10 seconds */

source3/libads/ads_proto.h

@@ -0,0 +1,171 @@
+/* The following definitions come from libads/ads_struct.c  */
+
+char *ads_build_path(const char *realm, const char *sep, const char *field, int reverse);
+char *ads_build_dn(const char *realm);
+char *ads_build_domain(const char *dn);
+ADS_STRUCT *ads_init(const char *realm,
+		     const char *workgroup,
+		     const char *ldap_server);
+bool ads_set_sasl_wrap_flags(ADS_STRUCT *ads, int flags);
+void ads_destroy(ADS_STRUCT **ads);
+
+const char *ads_get_ldap_server_name(ADS_STRUCT *ads);
+
+/* The following definitions come from libads/disp_sec.c  */
+
+void ads_disp_sd(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, struct security_descriptor *sd);
+
+/* The following definitions come from libads/kerberos_keytab.c  */
+
+int ads_keytab_add_entry(ADS_STRUCT *ads, const char *srvPrinc);
+int ads_keytab_flush(ADS_STRUCT *ads);
+int ads_keytab_create_default(ADS_STRUCT *ads);
+int ads_keytab_list(const char *keytab_name);
+
+/* The following definitions come from libads/krb5_errs.c  */
+
+/* The following definitions come from libads/kerberos_util.c  */
+
+ADS_STATUS ads_set_machine_password(ADS_STRUCT *ads,
+				    const char *machine_account,
+				    const char *password);
+int ads_kinit_password(ADS_STRUCT *ads);
+
+/* The following definitions come from libads/ldap.c  */
+
+bool ads_sitename_match(ADS_STRUCT *ads);
+bool ads_closest_dc(ADS_STRUCT *ads);
+ADS_STATUS ads_connect(ADS_STRUCT *ads);
+ADS_STATUS ads_connect_user_creds(ADS_STRUCT *ads);
+ADS_STATUS ads_connect_gc(ADS_STRUCT *ads);
+void ads_disconnect(ADS_STRUCT *ads);
+ADS_STATUS ads_do_search_all_fn(ADS_STRUCT *ads, const char *bind_path,
+				int scope, const char *expr, const char **attrs,
+				bool (*fn)(ADS_STRUCT *, char *, void **, void *),
+				void *data_area);
+char *ads_parent_dn(const char *dn);
+ADS_MODLIST ads_init_mods(TALLOC_CTX *ctx);
+ADS_STATUS ads_mod_str(TALLOC_CTX *ctx, ADS_MODLIST *mods,
+		       const char *name, const char *val);
+ADS_STATUS ads_mod_strlist(TALLOC_CTX *ctx, ADS_MODLIST *mods,
+			   const char *name, const char **vals);
+ADS_STATUS ads_gen_mod(ADS_STRUCT *ads, const char *mod_dn, ADS_MODLIST mods);
+ADS_STATUS ads_gen_add(ADS_STRUCT *ads, const char *new_dn, ADS_MODLIST mods);
+ADS_STATUS ads_del_dn(ADS_STRUCT *ads, char *del_dn);
+char *ads_ou_string(ADS_STRUCT *ads, const char *org_unit);
+char *ads_default_ou_string(ADS_STRUCT *ads, const char *wknguid);
+ADS_STATUS ads_add_strlist(TALLOC_CTX *ctx, ADS_MODLIST *mods,
+				const char *name, const char **vals);
+uint32 ads_get_kvno(ADS_STRUCT *ads, const char *account_name);
+uint32_t ads_get_machine_kvno(ADS_STRUCT *ads, const char *machine_name);
+ADS_STATUS ads_clear_service_principal_names(ADS_STRUCT *ads, const char *machine_name);
+ADS_STATUS ads_add_service_principal_name(ADS_STRUCT *ads, const char *machine_name,
+                                          const char *my_fqdn, const char *spn);
+ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads, const char *machine_name,
+                                   const char *org_unit);
+ADS_STATUS ads_move_machine_acct(ADS_STRUCT *ads, const char *machine_name,
+                                 const char *org_unit, bool *moved);
+int ads_count_replies(ADS_STRUCT *ads, void *res);
+ADS_STATUS ads_USN(ADS_STRUCT *ads, uint32 *usn);
+ADS_STATUS ads_current_time(ADS_STRUCT *ads);
+ADS_STATUS ads_domain_func_level(ADS_STRUCT *ads, uint32 *val);
+ADS_STATUS ads_domain_sid(ADS_STRUCT *ads, struct dom_sid *sid);
+ADS_STATUS ads_site_dn(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, const char **site_name);
+ADS_STATUS ads_site_dn_for_machine(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, const char *computer_name, const char **site_dn);
+ADS_STATUS ads_upn_suffixes(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, char ***suffixes, size_t *num_suffixes);
+ADS_STATUS ads_get_joinable_ous(ADS_STRUCT *ads,
+				TALLOC_CTX *mem_ctx,
+				char ***ous,
+				size_t *num_ous);
+ADS_STATUS ads_get_sid_from_extended_dn(TALLOC_CTX *mem_ctx,
+					const char *extended_dn,
+					enum ads_extended_dn_flags flags,
+					struct dom_sid *sid);
+char* ads_get_dnshostname( ADS_STRUCT *ads, TALLOC_CTX *ctx, const char *machine_name );
+char* ads_get_upn( ADS_STRUCT *ads, TALLOC_CTX *ctx, const char *machine_name );
+char* ads_get_samaccountname( ADS_STRUCT *ads, TALLOC_CTX *ctx, const char *machine_name );
+ADS_STATUS ads_join_realm(ADS_STRUCT *ads, const char *machine_name,
+			uint32 account_type, const char *org_unit);
+ADS_STATUS ads_leave_realm(ADS_STRUCT *ads, const char *hostname);
+ADS_STATUS ads_find_samaccount(ADS_STRUCT *ads,
+			       TALLOC_CTX *mem_ctx,
+			       const char *samaccountname,
+			       uint32 *uac_ret,
+			       const char **dn_ret);
+ADS_STATUS ads_config_path(ADS_STRUCT *ads,
+			   TALLOC_CTX *mem_ctx,
+			   char **config_path);
+const char *ads_get_extended_right_name_by_guid(ADS_STRUCT *ads,
+						const char *config_path,
+						TALLOC_CTX *mem_ctx,
+						const struct GUID *rights_guid);
+ADS_STATUS ads_check_ou_dn(TALLOC_CTX *mem_ctx,
+			   ADS_STRUCT *ads,
+			   const char **account_ou);
+
+/* The following definitions come from libads/ldap_printer.c  */
+
+ADS_STATUS ads_mod_printer_entry(ADS_STRUCT *ads, char *prt_dn,
+				 TALLOC_CTX *ctx, const ADS_MODLIST *mods);
+ADS_STATUS ads_add_printer_entry(ADS_STRUCT *ads, char *prt_dn,
+					TALLOC_CTX *ctx, ADS_MODLIST *mods);
+WERROR get_remote_printer_publishing_data(struct rpc_pipe_client *cli,
+					  TALLOC_CTX *mem_ctx,
+					  ADS_MODLIST *mods,
+					  const char *printer);
+
+/* The following definitions come from libads/ldap_user.c  */
+
+ADS_STATUS ads_add_user_acct(ADS_STRUCT *ads, const char *user,
+			     const char *container, const char *fullname);
+ADS_STATUS ads_add_group_acct(ADS_STRUCT *ads, const char *group,
+			      const char *container, const char *comment);
+
+/* The following definitions come from libads/ldap_utils.c  */
+
+ADS_STATUS ads_ranged_search(ADS_STRUCT *ads,
+			     TALLOC_CTX *mem_ctx,
+			     int scope,
+			     const char *base,
+			     const char *filter,
+			     void *args,
+			     const char *range_attr,
+			     char ***strings,
+			     size_t *num_strings);
+ADS_STATUS ads_ranged_search_internal(ADS_STRUCT *ads,
+				      TALLOC_CTX *mem_ctx,
+				      int scope,
+				      const char *base,
+				      const char *filter,
+				      const char **attrs,
+				      void *args,
+				      const char *range_attr,
+				      char ***strings,
+				      size_t *num_strings,
+				      uint32 *first_usn,
+				      int *num_retries,
+				      bool *more_values);
+
+/* The following definitions come from libads/ndr.c  */
+
+void ndr_print_ads_auth_flags(struct ndr_print *ndr, const char *name, uint32_t r);
+void ndr_print_ads_struct(struct ndr_print *ndr, const char *name, const struct ads_struct *r);
+
+/* The following definitions come from libads/sasl.c  */
+
+ADS_STATUS ads_sasl_bind(ADS_STRUCT *ads);
+
+/* The following definitions come from libads/sasl_wrapping.c  */
+
+ADS_STATUS ads_setup_sasl_wrapping(ADS_STRUCT *ads,
+				   const struct ads_saslwrap_ops *ops,
+				   void *private_data);
+ADS_STATUS ads_setup_sasl_wrapping(ADS_STRUCT *ads,
+				   const struct ads_saslwrap_ops *ops,
+				   void *private_data);
+
+/* The following definitions come from libads/util.c  */
+
+ADS_STATUS ads_change_trust_account_password(ADS_STRUCT *ads, char *host_principal);
+ADS_STATUS ads_guess_service_principal(ADS_STRUCT *ads,
+				       char **returned_principal);

source3/libads/ads_struct.c

@@ -19,6 +19,7 @@
 */
 
 #include "includes.h"
+#include "ads.h"
 
 /* return a ldap dn path from a string, given separators and field name
    caller must free

source3/libads/ads_utils.c

@@ -20,6 +20,7 @@
 */
 
 #include "includes.h"
+#include "ads.h"
 
 const char *ads_get_ldap_server_name(ADS_STRUCT *ads)
 {

source3/libads/authdata.c

@@ -25,6 +25,7 @@
 #include "includes.h"
 #include "librpc/gen_ndr/ndr_krb5pac.h"
 #include "smb_krb5.h"
+#include "libads/kerberos_proto.h"
 
 #ifdef HAVE_KRB5
 

source3/libads/disp_sec.c

@@ -18,6 +18,7 @@
 */
 
 #include "includes.h"
+#include "ads.h"
 #include "libads/ldap_schema.h"
 
 /* for ADS */

source3/libads/kerberos.c

@@ -24,6 +24,7 @@
 #include "includes.h"
 #include "smb_krb5.h"
 #include "../librpc/gen_ndr/ndr_misc.h"
+#include "libads/kerberos_proto.h"
 
 #ifdef HAVE_KRB5
 
@@ -284,58 +285,6 @@ int kerberos_kinit_password_ext(const char *principal,
 	return code;
 }
 
-
-
-/* run kinit to setup our ccache */
-int ads_kinit_password(ADS_STRUCT *ads)
-{
-	char *s;
-	int ret;
-	const char *account_name;
-	fstring acct_name;
-
-	if (ads->auth.flags & ADS_AUTH_USER_CREDS) {
-		account_name = ads->auth.user_name;
-		goto got_accountname;
-	}
-
-	if ( IS_DC ) {
-		/* this will end up getting a ticket for DOMAIN@RUSTED.REA.LM */
-		account_name = lp_workgroup();
-	} else {
-		/* always use the sAMAccountName for security = domain */
-		/* global_myname()$@REA.LM */
-		if ( lp_security() == SEC_DOMAIN ) {
-			fstr_sprintf( acct_name, "%s$", global_myname() );
-			account_name = acct_name;
-		}
-		else 
-			/* This looks like host/global_myname()@REA.LM */
-			account_name = ads->auth.user_name;
-	}
-
- got_accountname:
-	if (asprintf(&s, "%s@%s", account_name, ads->auth.realm) == -1) {
-		return KRB5_CC_NOMEM;
-	}
-
-	if (!ads->auth.password) {
-		SAFE_FREE(s);
-		return KRB5_LIBOS_CANTREADPWD;
-	}
-	
-	ret = kerberos_kinit_password_ext(s, ads->auth.password, ads->auth.time_offset,
-			&ads->auth.tgt_expire, NULL, NULL, False, False, ads->auth.renewable, 
-			NULL);
-
-	if (ret) {
-		DEBUG(0,("kerberos_kinit_password %s failed: %s\n", 
-			 s, error_message(ret)));
-	}
-	SAFE_FREE(s);
-	return ret;
-}
-
 int ads_kdestroy(const char *cc_name)
 {
 	krb5_error_code code;

source3/libads/kerberos_keytab.c

@@ -27,6 +27,7 @@
 
 #include "includes.h"
 #include "smb_krb5.h"
+#include "ads.h"
 
 #ifdef HAVE_KRB5
 

source3/libads/kerberos_proto.h

@@ -0,0 +1,67 @@
+/* The following definitions come from libads/kerberos_verify.c  */
+
+NTSTATUS ads_verify_ticket(TALLOC_CTX *mem_ctx,
+			   const char *realm,
+			   time_t time_offset,
+			   const DATA_BLOB *ticket,
+			   char **principal,
+			   struct PAC_LOGON_INFO **logon_info,
+			   DATA_BLOB *ap_rep,
+			   DATA_BLOB *session_key,
+			   bool use_replay_cache);
+
+/* The following definitions come from libads/kerberos.c  */
+
+int kerberos_kinit_password_ext(const char *principal,
+				const char *password,
+				int time_offset,
+				time_t *expire_time,
+				time_t *renew_till_time,
+				const char *cache_name,
+				bool request_pac,
+				bool add_netbios_addr,
+				time_t renewable_time,
+				NTSTATUS *ntstatus);
+int ads_kdestroy(const char *cc_name);
+char* kerberos_standard_des_salt( void );
+bool kerberos_secrets_store_des_salt( const char* salt );
+char* kerberos_secrets_fetch_des_salt( void );
+char *kerberos_get_default_realm_from_ccache( void );
+char *kerberos_get_realm_from_hostname(const char *hostname);
+
+bool kerberos_secrets_store_salting_principal(const char *service,
+					      int enctype,
+					      const char *principal);
+int kerberos_kinit_password(const char *principal,
+			    const char *password,
+			    int time_offset,
+			    const char *cache_name);
+bool create_local_private_krb5_conf_for_domain(const char *realm,
+						const char *domain,
+						const char *sitename,
+						struct sockaddr_storage *pss,
+						const char *kdc_name);
+
+/* The following definitions come from libads/authdata.c  */
+
+NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
+			     const char *name,
+			     const char *pass,
+			     time_t time_offset,
+			     time_t *expire_time,
+			     time_t *renew_till_time,
+			     const char *cache_name,
+			     bool request_pac,
+			     bool add_netbios_addr,
+			     time_t renewable_time,
+			     const char *impersonate_princ_s,
+			     struct PAC_LOGON_INFO **logon_info);
+
+/* The following definitions come from libads/krb5_setpw.c  */
+
+ADS_STATUS ads_krb5_set_password(const char *kdc_host, const char *princ,
+				 const char *newpw, int time_offset);
+ADS_STATUS kerberos_set_password(const char *kpasswd_server,
+				 const char *auth_principal, const char *auth_password,
+				 const char *target_principal, const char *new_password,
+				 int time_offset);

source3/libads/kerberos_util.c

@@ -0,0 +1,107 @@
+/*
+   Unix SMB/CIFS implementation.
+   krb5 set password implementation
+   Copyright (C) Andrew Tridgell 2001
+   Copyright (C) Remus Koos 2001 (remuskoos@yahoo.com)
+
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 3 of the License, or
+   (at your option) any later version.
+
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "smb_krb5.h"
+#include "ads.h"
+
+#ifdef HAVE_KRB5
+
+/**
+ * Set the machine account password
+ * @param ads connection to ads server
+ * @param hostname machine whose password is being set
+ * @param password new password
+ * @return status of password change
+ **/
+ADS_STATUS ads_set_machine_password(ADS_STRUCT *ads,
+				    const char *machine_account,
+				    const char *password)
+{
+	ADS_STATUS status;
+	char *principal = NULL;
+
+	/*
+	  we need to use the '$' form of the name here (the machine account name),
+	  as otherwise the server might end up setting the password for a user
+	  instead
+	 */
+	if (asprintf(&principal, "%s@%s", machine_account, ads->config.realm) < 0) {
+		return ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
+	}
+
+	status = ads_krb5_set_password(ads->auth.kdc_server, principal,
+				       password, ads->auth.time_offset);
+
+	SAFE_FREE(principal);
+	return status;
+}
+
+/* run kinit to setup our ccache */
+int ads_kinit_password(ADS_STRUCT *ads)
+{
+	char *s;
+	int ret;
+	const char *account_name;
+	fstring acct_name;
+
+	if (ads->auth.flags & ADS_AUTH_USER_CREDS) {
+		account_name = ads->auth.user_name;
+		goto got_accountname;
+	}
+
+	if ( IS_DC ) {
+		/* this will end up getting a ticket for DOMAIN@RUSTED.REA.LM */
+		account_name = lp_workgroup();
+	} else {
+		/* always use the sAMAccountName for security = domain */
+		/* global_myname()$@REA.LM */
+		if ( lp_security() == SEC_DOMAIN ) {
+			fstr_sprintf( acct_name, "%s$", global_myname() );
+			account_name = acct_name;
+		}
+		else
+			/* This looks like host/global_myname()@REA.LM */
+			account_name = ads->auth.user_name;
+	}
+
+ got_accountname:
+	if (asprintf(&s, "%s@%s", account_name, ads->auth.realm) == -1) {
+		return KRB5_CC_NOMEM;
+	}
+
+	if (!ads->auth.password) {
+		SAFE_FREE(s);
+		return KRB5_LIBOS_CANTREADPWD;
+	}
+
+	ret = kerberos_kinit_password_ext(s, ads->auth.password, ads->auth.time_offset,
+			&ads->auth.tgt_expire, NULL, NULL, False, False, ads->auth.renewable,
+			NULL);
+
+	if (ret) {
+		DEBUG(0,("kerberos_kinit_password %s failed: %s\n",
+			 s, error_message(ret)));
+	}
+	SAFE_FREE(s);
+	return ret;
+}
+
+#endif

source3/libads/kerberos_verify.c

@@ -25,6 +25,7 @@
 
 #include "includes.h"
 #include "smb_krb5.h"
+#include "libads/kerberos_proto.h"
 
 #ifdef HAVE_KRB5
 

source3/libads/krb5_setpw.c

@@ -20,6 +20,7 @@
 
 #include "includes.h"
 #include "smb_krb5.h"
+#include "libads/kerberos_proto.h"
 
 #ifdef HAVE_KRB5
 
@@ -806,34 +807,4 @@ ADS_STATUS kerberos_set_password(const char *kpasswd_server,
 				     new_password, time_offset);
 }
 
-
-/**
- * Set the machine account password
- * @param ads connection to ads server
- * @param hostname machine whose password is being set
- * @param password new password
- * @return status of password change
- **/
-ADS_STATUS ads_set_machine_password(ADS_STRUCT *ads,
-				    const char *machine_account,
-				    const char *password)
-{
-	ADS_STATUS status;
-	char *principal = NULL; 
-
-	/*
-	  we need to use the '$' form of the name here (the machine account name), 
-	  as otherwise the server might end up setting the password for a user
-	  instead
-	 */
-	if (asprintf(&principal, "%s@%s", machine_account, ads->config.realm) < 0) {
-		return ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
-	}
-	
-	status = ads_krb5_set_password(ads->auth.kdc_server, principal, 
-				       password, ads->auth.time_offset);
-	
-	SAFE_FREE(principal);
-	return status;
-}
 #endif

source3/libads/ldap.c

@@ -22,6 +22,7 @@
 */
 
 #include "includes.h"
+#include "ads.h"
 #include "libads/sitename_cache.h"
 #include "libads/cldap.h"
 #include "libads/dns.h"

source3/libads/ldap_printer.c

@@ -18,6 +18,7 @@
 */
 
 #include "includes.h"
+#include "ads.h"
 #include "../librpc/gen_ndr/cli_spoolss.h"
 #include "rpc_client/cli_spoolss.h"
 #include "registry.h"

source3/libads/ldap_schema.c

@@ -19,6 +19,7 @@
 */
 
 #include "includes.h"
+#include "ads.h"
 #include "libads/ldap_schema.h"
 
 #ifdef HAVE_LDAP

source3/libads/ldap_user.c

@@ -18,6 +18,7 @@
 */
 
 #include "includes.h"
+#include "ads.h"
 #include "../libds/common/flags.h"
 
 #ifdef HAVE_ADS

source3/libads/ldap_utils.c

@@ -21,6 +21,7 @@
 */
 
 #include "includes.h"
+#include "ads.h"
 
 #ifdef HAVE_LDAP
 /*

source3/libads/ndr.c

@@ -20,6 +20,7 @@
 */
 
 #include "includes.h"
+#include "ads.h"
 #include "../librpc/gen_ndr/ndr_netlogon.h"
 
 void ndr_print_ads_auth_flags(struct ndr_print *ndr, const char *name, uint32_t r)

source3/libads/sasl.c

@@ -20,6 +20,8 @@
 #include "includes.h"
 #include "../libcli/auth/spnego.h"
 #include "../libcli/auth/ntlmssp.h"
+#include "ads.h"
+#include "smb_krb5.h"
 
 #ifdef HAVE_LDAP
 

source3/libads/sasl_wrapping.c

@@ -18,6 +18,7 @@
 */
 
 #include "includes.h"
+#include "ads.h"
 
 #ifdef HAVE_LDAP_SASL_WRAPPING
 

source3/libads/util.c

@@ -18,6 +18,7 @@
 */
 
 #include "includes.h"
+#include "ads.h"
 
 #ifdef HAVE_KRB5
 

source3/libnet/libnet_join.c

@@ -19,6 +19,7 @@
  */
 
 #include "includes.h"
+#include "ads.h"
 #include "librpc/gen_ndr/ndr_libnet_join.h"
 #include "libnet/libnet_join.h"
 #include "libcli/auth/libcli_auth.h"

source3/libsmb/cliconnect.c

@@ -23,6 +23,7 @@
 #include "../libcli/auth/spnego.h"
 #include "smb_krb5.h"
 #include "../libcli/auth/ntlmssp.h"
+#include "libads/kerberos_proto.h"
 
 static const struct {
 	int prot;

source3/libsmb/namequery_dc.c

@@ -24,6 +24,7 @@
 
 #include "includes.h"
 #include "libads/sitename_cache.h"
+#include "ads.h"
 
 /**********************************************************************
  Is this our primary domain ?

source3/param/loadparm.c

@@ -57,6 +57,8 @@
 #include "lib/smbconf/smbconf_init.h"
 #include "lib/smbconf/smbconf_reg.h"
 
+#include "ads.h"
+
 #ifdef HAVE_SYS_SYSCTL_H
 #include <sys/sysctl.h>
 #endif

source3/smbd/sesssetup.c

@@ -28,6 +28,7 @@
 #include "../libcli/auth/ntlmssp.h"
 #include "ntlmssp_wrap.h"
 #include "librpc/gen_ndr/messaging.h"
+#include "libads/kerberos_proto.h"
 
 /* For split krb5 SPNEGO blobs. */
 struct pending_auth_data {

source3/smbd/smb2_sesssetup.c

@@ -25,6 +25,7 @@
 #include "../libcli/auth/spnego.h"
 #include "../libcli/auth/ntlmssp.h"
 #include "ntlmssp_wrap.h"
+#include "libads/kerberos_proto.h"
 
 static NTSTATUS smbd_smb2_session_setup(struct smbd_smb2_request *smb2req,
 					uint64_t in_session_id,

source3/utils/net_ads.c

@@ -25,10 +25,10 @@
 #include "librpc/gen_ndr/ndr_krb5pac.h"
 #include "../librpc/gen_ndr/cli_spoolss.h"
 #include "nsswitch/libwbclient/wbclient.h"
+#include "ads.h"
 #include "libads/cldap.h"
 #include "libads/dns.h"
 #include "../libds/common/flags.h"
-#include "ads.h"
 #include "librpc/gen_ndr/libnet_join.h"
 #include "libnet/libnet_join.h"
 #include "smb_krb5.h"

source3/utils/net_ads_gpo.c

@@ -19,6 +19,7 @@
 
 #include "includes.h"
 #include "utils/net.h"
+#include "ads.h"
 #include "../libgpo/gpo.h"
 #include "libgpo/gpo_proto.h"
 #include "../libds/common/flags.h"

source3/utils/net_proto.h

@@ -45,9 +45,9 @@ void debug_unix_user_token(int dbg_class, int dbg_lev, uid_t uid, gid_t gid,
 enum netr_SchannelType get_sec_channel_type(const char *param);
 
 /* The following definitions come from utils/net_ads.c  */
-
-ADS_STATUS ads_startup(struct net_context *c, bool only_own_domain, ADS_STRUCT **ads);
-ADS_STATUS ads_startup_nobind(struct net_context *c, bool only_own_domain, ADS_STRUCT **ads);
+struct ads_struct;
+ADS_STATUS ads_startup(struct net_context *c, bool only_own_domain, struct ads_struct **ads);
+ADS_STATUS ads_startup_nobind(struct net_context *c, bool only_own_domain, struct ads_struct **ads);
 int net_ads_check_our_domain(struct net_context *c);
 int net_ads_check(struct net_context *c);
 int net_ads_user(struct net_context *c, int argc, const char **argv);

source3/utils/ntlm_auth.c

@@ -31,6 +31,7 @@
 #include "smb_krb5.h"
 #include <iniparser.h>
 #include "../lib/crypto/arcfour.h"
+#include "libads/kerberos_proto.h"
 
 #ifndef PAM_WINBIND_CONFIG_FILE
 #define PAM_WINBIND_CONFIG_FILE "/etc/security/pam_winbind.conf"

source3/winbindd/idmap_ad.c

@@ -28,6 +28,7 @@
 #include "includes.h"
 #include "winbindd.h"
 #include "../libds/common/flags.h"
+#include "ads.h"
 #include "libads/ldap_schema.h"
 #include "nss_info.h"
 

source3/winbindd/idmap_adex/cell_util.c

@@ -19,6 +19,7 @@
  */
 
 #include "includes.h"
+#include "ads.h"
 #include "idmap_adex.h"
 #include "../libds/common/flags.h"
 

source3/winbindd/idmap_adex/domain_util.c

@@ -19,6 +19,7 @@
  */
 
 #include "includes.h"
+#include "ads.h"
 #include "idmap_adex.h"
 
 #undef DBGC_CLASS

source3/winbindd/idmap_adex/gc_util.c

@@ -19,6 +19,7 @@
  */
 
 #include "includes.h"
+#include "ads.h"
 #include "idmap_adex.h"
 #include "libads/cldap.h"
 

source3/winbindd/idmap_adex/idmap_adex.c

@@ -19,6 +19,7 @@
  */
 
 #include "includes.h"
+#include "ads.h"
 #include "idmap_adex.h"
 #include "nss_info.h"
 

source3/winbindd/idmap_adex/likewise_cell.c

@@ -19,6 +19,7 @@
  */
 
 #include "includes.h"
+#include "ads.h"
 #include "idmap_adex.h"
 
 #undef DBGC_CLASS

source3/winbindd/idmap_adex/provider_unified.c

@@ -21,6 +21,7 @@
  */
 
 #include "includes.h"
+#include "ads.h"
 #include "idmap_adex.h"
 
 #undef DBGC_CLASS

source3/winbindd/idmap_hash/idmap_hash.c

@@ -21,6 +21,7 @@
 #include "includes.h"
 #include "winbindd/winbindd.h"
 #include "idmap_hash.h"
+#include "ads.h"
 #include "nss_info.h"
 
 #undef DBGC_CLASS

source3/winbindd/nss_info.c

@@ -20,6 +20,7 @@
 */
 
 #include "includes.h"
+#include "ads.h"
 #include "nss_info.h"
 
 static struct nss_function_entry *backends = NULL;

source3/winbindd/nss_info_template.c

@@ -19,6 +19,7 @@
 */
 
 #include "includes.h"
+#include "ads.h"
 #include "nss_info.h"
 
 /************************************************************************

source3/winbindd/winbindd_ads.c

@@ -25,6 +25,7 @@
 #include "winbindd.h"
 #include "../librpc/gen_ndr/cli_netlogon.h"
 #include "../libds/common/flags.h"
+#include "ads.h"
 
 #ifdef HAVE_ADS
 

source3/winbindd/winbindd_cache.c

@@ -28,6 +28,7 @@
 #include "tdb_validate.h"
 #include "../libcli/auth/libcli_auth.h"
 #include "../librpc/gen_ndr/ndr_wbint.h"
+#include "ads.h"
 #include "nss_info.h"
 
 #undef DBGC_CLASS

source3/winbindd/winbindd_cm.c

@@ -70,6 +70,7 @@
 #include "libads/sitename_cache.h"
 #include "librpc/gen_ndr/messaging.h"
 #include "libsmb/clidgram.h"
+#include "ads.h"
 
 #undef DBGC_CLASS
 #define DBGC_CLASS DBGC_WINBIND

source3/winbindd/winbindd_cred_cache.c

@@ -25,6 +25,7 @@
 #include "winbindd.h"
 #include "../libcli/auth/libcli_auth.h"
 #include "smb_krb5.h"
+#include "libads/kerberos_proto.h"
 
 #undef DBGC_CLASS
 #define DBGC_CLASS DBGC_WINBIND

source3/winbindd/winbindd_pam.c

@@ -32,6 +32,7 @@
 #include "smb_krb5.h"
 #include "../lib/crypto/arcfour.h"
 #include "../libcli/security/dom_sid.h"
+#include "ads.h"
 
 #undef DBGC_CLASS
 #define DBGC_CLASS DBGC_WINBIND

source3/winbindd/winbindd_proto.h

@@ -155,10 +155,11 @@ bool wcache_tdc_fetch_list( struct winbindd_tdc_domain **domains, size_t *num_do
 bool wcache_tdc_add_domain( struct winbindd_domain *domain );
 struct winbindd_tdc_domain * wcache_tdc_fetch_domain( TALLOC_CTX *ctx, const char *name );
 void wcache_tdc_clear( void );
+struct ads_struct;
 NTSTATUS nss_get_info_cached( struct winbindd_domain *domain, 
 			      const struct dom_sid *user_sid,
 			      TALLOC_CTX *ctx,
-			      ADS_STRUCT *ads, LDAPMessage *msg,
+			      struct ads_struct *ads, LDAPMessage *msg,
 			      const char **homedir, const char **shell,
 			      const char **gecos, gid_t *p_gid);
 bool wcache_store_seqnum(const char *domain_name, uint32_t seqnum,

source3/wscript_build

@@ -205,7 +205,9 @@ LIBGPO_SRC = '''${LIBGPO_SRC0}'''
 
 LIBADS_SRC = '''libads/ldap.c libads/ldap_printer.c
              libads/sasl.c libads/sasl_wrapping.c
-             libads/krb5_setpw.c libads/ldap_user.c
+             libads/krb5_setpw.c
+             libads/kerberos_util.c
+             libads/ldap_user.c
              libads/ads_struct.c libads/kerberos_keytab.c
              libads/disp_sec.c libads/ads_utils.c libads/ldap_utils.c
              libads/ldap_schema.c libads/util.c libads/ndr.c'''