DWORD
GetPreferredDCAddress(
PSTR pszDomain,
PSTR* ppszDCAddress
)
{
DWORD dwError = MAC_AD_ERROR_SUCCESS;
PLWNET_DC_INFO pDCInfo = NULL;
PSTR pszDCAddress = NULL;
dwError = LWNetGetDCName(
NULL,
pszDomain,
NULL, //pszSiteName
0, //dwFlags
&pDCInfo);
BAIL_ON_MAC_ERROR(dwError);
dwError = LwAllocateString(
pDCInfo->pszDomainControllerName,
&pszDCAddress);
BAIL_ON_MAC_ERROR(dwError);
*ppszDCAddress = pszDCAddress;
cleanup:
if (pDCInfo)
{
LWNetFreeDCInfo(pDCInfo);
}
return dwError;
error:
*ppszDCAddress = NULL;
LW_SAFE_FREE_STRING(pszDCAddress);
goto cleanup;
}
static
DWORD
ADUPutGPTINIFile(
PSTR pszFolderPath,
PSTR pszgPCFileSysPath
)
{
DWORD dwError = MAC_AD_ERROR_SUCCESS;
PSTR pszDestPath = NULL;
PSTR pszDomainName = NULL;
PSTR pszPolicyIdentifier = NULL;
/* This routine expects the local layout of cached policy files to be found under LWDS_ADMIN_CACHE_DIR,
here there should be sub-directories for each policy identifier and a file GPT.ini which has
been updated to reflect the version information that needs to be copied to the AD DC. This
function will determine the policy identifier and build the path to the local GPT.INI file and
the path to the GPT.INI file in the syvol location for the specific GPO.*/
dwError = ADUCrackFileSysPath(pszgPCFileSysPath,
&pszDomainName,
&pszDestPath,
&pszPolicyIdentifier);
BAIL_ON_MAC_ERROR(dwError);
dwError = ADUSMBPutFile(pszDomainName,
pszFolderPath,
(PSTR)"GPT.INI",
pszDestPath);
BAIL_ON_MAC_ERROR(dwError);
cleanup:
LW_SAFE_FREE_STRING(pszDomainName);
LW_SAFE_FREE_STRING(pszPolicyIdentifier);
LW_SAFE_FREE_STRING(pszDestPath);
return dwError;
error:
goto cleanup;
}
DWORD
LWDeleteNameValuePairBySectionName(
PCFGSECTION pSectionList,
PCSTR pszSectionName,
PCSTR pszName
)
{
DWORD dwError = 0;
PCFGSECTION pSection = NULL;
if (IsNullOrEmptyString(pszSectionName) ||
IsNullOrEmptyString(pszName)) {
dwError = MAC_AD_ERROR_INVALID_PARAMETER;
BAIL_ON_MAC_ERROR(dwError);
}
while (pSectionList) {
if (!strcmp(pszSectionName, pszName)) {
pSection = pSectionList;
break;
}
pSectionList = pSectionList->pNext;
}
if (!pSection) {
dwError = MAC_AD_ERROR_INVALID_RECORD_TYPE;
goto error;
}
dwError = LWDeleteNameValuePairBySection(pSection, pszName);
BAIL_ON_MAC_ERROR(dwError);
cleanup:
return dwError;
error:
goto cleanup;
}
DWORD
ADUParseAndSetGPTVersion(
PSTR pszFilePath,
DWORD dwGPTVersion
)
{
DWORD dwError = MAC_AD_ERROR_SUCCESS;
char szValue[256];
PCFGSECTION pSectionList = NULL;
memset(szValue, 0, sizeof(szValue));
sprintf(szValue, "%d", dwGPTVersion);
dwError = LWParseConfigFile(pszFilePath,
&pSectionList,
FALSE);
BAIL_ON_MAC_ERROR(dwError);
dwError = LWSetConfigValueBySectionName(pSectionList,
"General",
"Version",
szValue);
BAIL_ON_MAC_ERROR(dwError);
dwError = LWSaveConfigSectionList(pszFilePath, pSectionList);
BAIL_ON_MAC_ERROR(dwError);
cleanup:
if (pSectionList) {
LWFreeConfigSectionList(pSectionList);
}
return dwError;
error:
goto cleanup;
}
DWORD
ADUSetPolicyVersionInAD(
PGROUP_POLICY_OBJECT pGPO,
DWORD dwVersion)
{
DWORD dwError = 0;
PSTR pszDomainName = NULL;
PSTR pszSourcePath = NULL;
PSTR pszPolicyIdentifier = NULL;
HANDLE hDirectory = (HANDLE)NULL;
dwError = ADUCrackFileSysPath(pGPO->pszgPCFileSysPath,
&pszDomainName,
&pszSourcePath,
&pszPolicyIdentifier);
BAIL_ON_MAC_ERROR(dwError);
dwError = ADUOpenLwLdapDirectory(pszDomainName, &hDirectory);
BAIL_ON_MAC_ERROR(dwError);
dwError = LwLdapPutUInt32(hDirectory, pGPO->pszPolicyDN, ADU_VERSION_NUMBER_ATTR, dwVersion);
BAIL_ON_MAC_ERROR(dwError);
cleanup:
LW_SAFE_FREE_STRING(pszDomainName);
LW_SAFE_FREE_STRING(pszSourcePath);
LW_SAFE_FREE_STRING(pszPolicyIdentifier);
if (hDirectory)
LwLdapCloseDirectory(hDirectory);
return dwError;
error:
goto cleanup;
}
DWORD
LWDeleteConfigSection(
PCFGSECTION* ppSectionList,
PCSTR pszSectionName
)
{
DWORD dwError = 0;
PCFGSECTION pSection = NULL;
PCFGSECTION pIterSection = *ppSectionList;
PCFGSECTION pPrevSection = NULL;
if (IsNullOrEmptyString(pszSectionName)) {
dwError = MAC_AD_ERROR_INVALID_PARAMETER;
BAIL_ON_MAC_ERROR(dwError);
}
while (pIterSection) {
if (!strcmp(pszSectionName, pIterSection->pszName)) {
pSection = pIterSection;
break;
}
pPrevSection = pIterSection;
pIterSection = pIterSection->pNext;
}
if (pSection) {
if (!pPrevSection) {
*ppSectionList = pSection->pNext;
} else {
pPrevSection->pNext = pSection->pNext;
}
LWFreeSection(pSection);
}
cleanup:
return dwError;
error:
goto cleanup;
}
DWORD
ADUParseAndGetGPTVersion(
PSTR pszFilePath,
PDWORD pdwGPTVersion
)
{
DWORD dwError = MAC_AD_ERROR_SUCCESS;
PSTR pszValue = NULL;
PCFGSECTION pSectionList = NULL;
dwError = LWParseConfigFile(pszFilePath,
&pSectionList,
FALSE);
BAIL_ON_MAC_ERROR(dwError);
dwError = LWGetConfigValueBySectionName(pSectionList,
"General",
"Version",
&pszValue);
if (dwError == MAC_AD_ERROR_SUCCESS) {
if (!pszValue) {
dwError = MAC_AD_ERROR_NO_SUCH_ATTRIBUTE;
} else {
*pdwGPTVersion = atoi(pszValue);
}
}
cleanup:
if (pSectionList) {
LWFreeConfigSectionList(pSectionList);
}
LW_SAFE_FREE_STRING(pszValue);
return dwError;
error:
if (pdwGPTVersion)
*pdwGPTVersion = 0;
goto cleanup;
}
DWORD
LWGetConfigValueBySection(
PCFGSECTION pSection,
PCSTR pszName,
PSTR* ppszValue
)
{
DWORD dwError = 0;
PNVPAIR pNVPair = NULL;
*ppszValue = NULL;
pNVPair = pSection->pNVPairList;
while (pNVPair) {
if (!strcmp(pNVPair->pszName, pszName))
break;
pNVPair = pNVPair->pNext;
}
if (!pNVPair) {
dwError = MAC_AD_ERROR_INVALID_ATTRIBUTE_TYPE;
goto cleanup; /* Not uncommon, no need to log error. */
}
if (pNVPair->pszValue) {
dwError = LwAllocateString(pNVPair->pszValue, ppszValue);
BAIL_ON_MAC_ERROR(dwError);
}
cleanup:
return dwError;
error:
goto cleanup;
}
DWORD
ADUKrb5SetDefaultCachePath(
PSTR pszCachePath,
PSTR* ppszOrigCachePath
)
{
DWORD dwError = 0;
DWORD dwMajorStatus = 0;
DWORD dwMinorStatus = 0;
PSTR pszOrigCachePath = NULL;
// Avoid library conflicts with Mac OSX library
dwMajorStatus = lw_gss_krb5_ccache_name(
(OM_uint32 *)&dwMinorStatus,
pszCachePath,
(ppszOrigCachePath) ? (const char**)&pszOrigCachePath : NULL);
BAIL_ON_SEC_ERROR(dwMajorStatus, dwMinorStatus);
if (ppszOrigCachePath) {
if (!IsNullOrEmptyString(pszOrigCachePath)) {
dwError = LwAllocateString(pszOrigCachePath, ppszOrigCachePath);
BAIL_ON_MAC_ERROR(dwError);
} else {
*ppszOrigCachePath = NULL;
}
}
cleanup:
return dwError;
error:
if (ppszOrigCachePath) {
*ppszOrigCachePath = NULL;
}
goto cleanup;
}
static
DWORD
ParseHeader(
FILE* fp,
PDWORD pdwSignature)
{
DWORD dwError = 0;
uint16_t wSignature = 0;
if (1 != fread(&wSignature, sizeof(wSignature), 1, fp)) {
dwError = errno;
BAIL_ON_MAC_ERROR(dwError);
}
*pdwSignature = CONVERT_ENDIAN_WORD(wSignature);
cleanup:
return dwError;
error:
goto cleanup;
}
DWORD
GetUserAttributes(
HANDLE hDirectory,
PSTR pszUserSID,
PSTR pszDomainName,
PGPUSER_AD_ATTRS * ppUserADAttrs
)
{
DWORD dwError = MAC_AD_ERROR_SUCCESS;
PSTR pszDirectoryRoot = NULL;
PSTR szAttributeList[] = {"*", NULL};
CHAR szQuery[1024];
LDAPMessage *pUserMessage = NULL;
LDAPMessage *pDomainMessage = NULL;
long lCount = 0;
PGPUSER_AD_ATTRS pUserADAttrs = NULL;
dwError = ADUConvertDomainToDN(pszDomainName, &pszDirectoryRoot);
BAIL_ON_MAC_ERROR(dwError);
sprintf(szQuery, "(objectsid=%s)", pszUserSID);
dwError = LwLdapDirectorySearch(
hDirectory,
pszDirectoryRoot,
LDAP_SCOPE_SUBTREE,
szQuery,
szAttributeList,
&pUserMessage);
BAIL_ON_MAC_ERROR(dwError);
dwError = LwLdapCountEntries(
hDirectory,
pUserMessage,
&lCount
);
BAIL_ON_MAC_ERROR(dwError);
if (lCount < 0) {
dwError = MAC_AD_ERROR_INVALID_NAME;
} else if (lCount == 0) {
dwError = MAC_AD_ERROR_INVALID_NAME;
} else if (lCount > 1) {
dwError = MAC_AD_ERROR_INVALID_NAME;
}
BAIL_ON_MAC_ERROR(dwError);
dwError = LwLdapDirectorySearch(
hDirectory,
pszDirectoryRoot,
LDAP_SCOPE_BASE,
"(objectClass=*)",
szAttributeList,
&pDomainMessage);
BAIL_ON_MAC_ERROR(dwError);
dwError = LwLdapCountEntries(
hDirectory,
pDomainMessage,
&lCount
);
BAIL_ON_MAC_ERROR(dwError);
if (lCount < 0) {
dwError = MAC_AD_ERROR_INVALID_NAME;
} else if (lCount == 0) {
dwError = MAC_AD_ERROR_INVALID_NAME;
} else if (lCount > 1) {
dwError = MAC_AD_ERROR_INVALID_NAME;
}
BAIL_ON_MAC_ERROR(dwError);
dwError = LwAllocateMemory(sizeof(GPUSER_AD_ATTRS), (PVOID *) &pUserADAttrs);
BAIL_ON_MAC_ERROR(dwError);
dwError = LwAllocateString(pszDomainName, &pUserADAttrs->pszADDomain);
BAIL_ON_MAC_ERROR(dwError);
dwError = LwLdapGetString(hDirectory,
pUserMessage,
"displayName",
&pUserADAttrs->pszDisplayName);
if (dwError == LW_ERROR_INVALID_LDAP_ATTR_VALUE)
{
dwError = MAC_AD_ERROR_SUCCESS;
}
BAIL_ON_MAC_ERROR(dwError);
dwError = LwLdapGetString(hDirectory,
pUserMessage,
"givenName",
&pUserADAttrs->pszFirstName);
if (dwError == LW_ERROR_INVALID_LDAP_ATTR_VALUE)
{
dwError = MAC_AD_ERROR_SUCCESS;
}
BAIL_ON_MAC_ERROR(dwError);
dwError = LwLdapGetString(hDirectory,
pUserMessage,
"sn",
&pUserADAttrs->pszLastName);
if (dwError == LW_ERROR_INVALID_LDAP_ATTR_VALUE)
{
dwError = MAC_AD_ERROR_SUCCESS;
}
BAIL_ON_MAC_ERROR(dwError);
dwError = LwLdapGetString(hDirectory,
pUserMessage,
"userPrincipalName",
&pUserADAttrs->pszKerberosPrincipal);
if (dwError == LW_ERROR_INVALID_LDAP_ATTR_VALUE)
{
dwError = MAC_AD_ERROR_SUCCESS;
}
BAIL_ON_MAC_ERROR(dwError);
dwError = LwLdapGetString(hDirectory,
pUserMessage,
"mail",
&pUserADAttrs->pszEMailAddress);
if (dwError == LW_ERROR_INVALID_LDAP_ATTR_VALUE)
{
dwError = MAC_AD_ERROR_SUCCESS;
}
BAIL_ON_MAC_ERROR(dwError);
dwError = LwLdapGetString(hDirectory,
pUserMessage,
"msExchHomeServerName",
&pUserADAttrs->pszMSExchHomeServerName);
if (dwError == LW_ERROR_INVALID_LDAP_ATTR_VALUE)
{
dwError = MAC_AD_ERROR_SUCCESS;
}
BAIL_ON_MAC_ERROR(dwError);
dwError = LwLdapGetString(hDirectory,
pUserMessage,
"homeMDB",
&pUserADAttrs->pszMSExchHomeMDB);
if (dwError == LW_ERROR_INVALID_LDAP_ATTR_VALUE)
{
dwError = MAC_AD_ERROR_SUCCESS;
}
BAIL_ON_MAC_ERROR(dwError);
dwError = LwLdapGetString(hDirectory,
pUserMessage,
"telephoneNumber",
&pUserADAttrs->pszTelephoneNumber);
if (dwError == LW_ERROR_INVALID_LDAP_ATTR_VALUE)
{
dwError = MAC_AD_ERROR_SUCCESS;
}
BAIL_ON_MAC_ERROR(dwError);
dwError = LwLdapGetString(hDirectory,
pUserMessage,
"facsimileTelephoneNumber",
&pUserADAttrs->pszFaxTelephoneNumber);
if (dwError == LW_ERROR_INVALID_LDAP_ATTR_VALUE)
{
dwError = MAC_AD_ERROR_SUCCESS;
}
BAIL_ON_MAC_ERROR(dwError);
dwError = LwLdapGetString(hDirectory,
pUserMessage,
"mobile",
&pUserADAttrs->pszMobileTelephoneNumber);
if (dwError == LW_ERROR_INVALID_LDAP_ATTR_VALUE)
{
dwError = MAC_AD_ERROR_SUCCESS;
}
BAIL_ON_MAC_ERROR(dwError);
dwError = LwLdapGetString(hDirectory,
pUserMessage,
"streetAddress",
&pUserADAttrs->pszStreetAddress);
if (dwError == LW_ERROR_INVALID_LDAP_ATTR_VALUE)
{
dwError = MAC_AD_ERROR_SUCCESS;
}
BAIL_ON_MAC_ERROR(dwError);
dwError = LwLdapGetString(hDirectory,
pUserMessage,
"postOfficeBox",
&pUserADAttrs->pszPostOfficeBox);
if (dwError == LW_ERROR_INVALID_LDAP_ATTR_VALUE)
{
dwError = MAC_AD_ERROR_SUCCESS;
}
BAIL_ON_MAC_ERROR(dwError);
dwError = LwLdapGetString(hDirectory,
pUserMessage,
"l",
&pUserADAttrs->pszCity);
if (dwError == LW_ERROR_INVALID_LDAP_ATTR_VALUE)
{
dwError = MAC_AD_ERROR_SUCCESS;
}
BAIL_ON_MAC_ERROR(dwError);
dwError = LwLdapGetString(hDirectory,
pUserMessage,
"st",
&pUserADAttrs->pszState);
if (dwError == LW_ERROR_INVALID_LDAP_ATTR_VALUE)
{
dwError = MAC_AD_ERROR_SUCCESS;
}
BAIL_ON_MAC_ERROR(dwError);
dwError = LwLdapGetString(hDirectory,
pUserMessage,
"postalCode",
&pUserADAttrs->pszPostalCode);
if (dwError == LW_ERROR_INVALID_LDAP_ATTR_VALUE)
{
dwError = MAC_AD_ERROR_SUCCESS;
}
BAIL_ON_MAC_ERROR(dwError);
dwError = LwLdapGetString(hDirectory,
pUserMessage,
"co",
&pUserADAttrs->pszCountry);
if (dwError == LW_ERROR_INVALID_LDAP_ATTR_VALUE)
{
dwError = MAC_AD_ERROR_SUCCESS;
}
BAIL_ON_MAC_ERROR(dwError);
dwError = LwLdapGetString(hDirectory,
pUserMessage,
"title",
&pUserADAttrs->pszTitle);
if (dwError == LW_ERROR_INVALID_LDAP_ATTR_VALUE)
{
dwError = MAC_AD_ERROR_SUCCESS;
}
BAIL_ON_MAC_ERROR(dwError);
dwError = LwLdapGetString(hDirectory,
pUserMessage,
"company",
&pUserADAttrs->pszCompany);
if (dwError == LW_ERROR_INVALID_LDAP_ATTR_VALUE)
{
dwError = MAC_AD_ERROR_SUCCESS;
}
BAIL_ON_MAC_ERROR(dwError);
dwError = LwLdapGetString(hDirectory,
pUserMessage,
"department",
&pUserADAttrs->pszDepartment);
if (dwError == LW_ERROR_INVALID_LDAP_ATTR_VALUE)
{
dwError = MAC_AD_ERROR_SUCCESS;
}
BAIL_ON_MAC_ERROR(dwError);
dwError = LwLdapGetString(hDirectory,
pUserMessage,
"homeDirectory",
&pUserADAttrs->pszHomeDirectory);
if (dwError == LW_ERROR_INVALID_LDAP_ATTR_VALUE)
{
dwError = MAC_AD_ERROR_SUCCESS;
}
BAIL_ON_MAC_ERROR(dwError);
dwError = LwLdapGetString(hDirectory,
pUserMessage,
"homeDrive",
&pUserADAttrs->pszHomeDrive);
if (dwError == LW_ERROR_INVALID_LDAP_ATTR_VALUE)
{
dwError = MAC_AD_ERROR_SUCCESS;
}
BAIL_ON_MAC_ERROR(dwError);
dwError = LwLdapGetString(hDirectory,
pUserMessage,
"pwdLastSet",
&pUserADAttrs->pszPasswordLastSet);
if (dwError == LW_ERROR_INVALID_LDAP_ATTR_VALUE)
{
dwError = MAC_AD_ERROR_SUCCESS;
}
BAIL_ON_MAC_ERROR(dwError);
dwError = LwLdapGetString(hDirectory,
pUserMessage,
"userAccountControl",
&pUserADAttrs->pszUserAccountControl);
if (dwError == LW_ERROR_INVALID_LDAP_ATTR_VALUE)
{
dwError = MAC_AD_ERROR_SUCCESS;
}
BAIL_ON_MAC_ERROR(dwError);
/* The settings below are found on the domain container for the user */
dwError = LwLdapGetString(hDirectory,
pDomainMessage,
"maxPwdAge",
&pUserADAttrs->pszMaxMinutesUntilChangePassword);
if (dwError == LW_ERROR_INVALID_LDAP_ATTR_VALUE)
{
dwError = MAC_AD_ERROR_SUCCESS;
}
BAIL_ON_MAC_ERROR(dwError);
dwError = LwLdapGetString(hDirectory,
pDomainMessage,
"minPwdAge",
&pUserADAttrs->pszMinMinutesUntilChangePassword);
if (dwError == LW_ERROR_INVALID_LDAP_ATTR_VALUE)
{
dwError = MAC_AD_ERROR_SUCCESS;
}
BAIL_ON_MAC_ERROR(dwError);
dwError = LwLdapGetString(hDirectory,
pDomainMessage,
"lockoutThreshhold",
&pUserADAttrs->pszMaxFailedLoginAttempts);
if (dwError == LW_ERROR_INVALID_LDAP_ATTR_VALUE)
{
dwError = MAC_AD_ERROR_SUCCESS;
}
BAIL_ON_MAC_ERROR(dwError);
dwError = LwLdapGetString(hDirectory,
pDomainMessage,
"pwdHistoryLength",
&pUserADAttrs->pszAllowedPasswordHistory);
if (dwError == LW_ERROR_INVALID_LDAP_ATTR_VALUE)
{
dwError = MAC_AD_ERROR_SUCCESS;
}
BAIL_ON_MAC_ERROR(dwError);
dwError = LwLdapGetString(hDirectory,
pDomainMessage,
"minPwdLength",
&pUserADAttrs->pszMinCharsAllowedInPassword);
if (dwError == LW_ERROR_INVALID_LDAP_ATTR_VALUE)
{
dwError = MAC_AD_ERROR_SUCCESS;
}
BAIL_ON_MAC_ERROR(dwError);
*ppUserADAttrs = pUserADAttrs;
pUserADAttrs = NULL;
error:
FreeUserAttributes(pUserADAttrs);
if (pszDirectoryRoot) {
LwFreeString(pszDirectoryRoot);
}
if (pUserMessage) {
ldap_msgfree(pUserMessage);
}
if (pDomainMessage) {
ldap_msgfree(pDomainMessage);
}
return dwError;
}
DWORD
LWCreateConfigSection(
PCFGSECTION* ppSectionList,
PCFGSECTION* pCreatedSection,
PCSTR pszSectionName
)
{
DWORD dwError = 0;
PCFGSECTION pSectionList = NULL;
PCFGSECTION pSection = NULL;
PCFGSECTION pTmpSection = NULL;
if (!ppSectionList || IsNullOrEmptyString(pszSectionName)) {
dwError = MAC_AD_ERROR_INVALID_PARAMETER;
BAIL_ON_MAC_ERROR(dwError);
}
pSectionList = *ppSectionList;
pSection = pSectionList;
while (pSection)
{
if (!strcmp(pSection->pszName, pszSectionName))
{
break;
}
}
if (!pSection) {
dwError = LwAllocateMemory(sizeof(CFGSECTION), (PVOID*)&pSection);
BAIL_ON_MAC_ERROR(dwError);
dwError = LwAllocateString(pszSectionName, &pSection->pszName);
BAIL_ON_MAC_ERROR(dwError);
if (!pSectionList) {
pSectionList = pSection;
} else {
pTmpSection = pSectionList;
while (pTmpSection->pNext)
pTmpSection = pTmpSection->pNext;
pTmpSection->pNext = pSection;
}
}
*pCreatedSection = pSection;
*ppSectionList = pSectionList;
cleanup:
return dwError;
error:
*pCreatedSection = NULL;
if (pSection)
{
LWFreeSection(pSection);
}
goto cleanup;
}
DWORD
LWParseConfigFile(
PCSTR pszFilePath,
PCFGSECTION* ppCfgSectionList,
BOOLEAN bWindowsDoubleByteFormat
)
{
DWORD dwError = 0;
PCFGSECTION pSectionList = NULL;
PCFGSECTION pSection = NULL;
PNVPAIR pNVPair = NULL;
FILE* fp = NULL;
CHAR staticBuffer[1024+1];
PSTR szBuf = NULL;
DWORD dwLen = 0;
PSTR pszTmp = NULL;
PSTR pszName = NULL;
PSTR pszValue = NULL;
DWORD dwSignature = 0;
/*DWORD nRead = 0;*/
BOOLEAN bEOF = FALSE;
if ((fp = fopen(pszFilePath, "r")) == NULL) {
dwError = errno;
goto error;
}
if (fcntl(fileno(fp), F_SETFD, FD_CLOEXEC) < 0) {
dwError = errno;
BAIL_ON_MAC_ERROR(dwError);
}
if (bWindowsDoubleByteFormat) {
dwError = ParseHeader(fp, &dwSignature);
BAIL_ON_MAC_ERROR(dwError);
if (dwSignature != 0xFEFF) {
dwError = MAC_AD_ERROR_INVALID_TAG;
BAIL_ON_MAC_ERROR(dwError);
}
}
while (!bEOF) {
LW_SAFE_FREE_STRING(szBuf);
if (bWindowsDoubleByteFormat) {
staticBuffer[0] = '\0';
dwError = ReadNextDoubleByteLine(fp, staticBuffer, 1024, &bEOF);
BAIL_ON_MAC_ERROR(dwError);
dwError = LwAllocateString(staticBuffer, &szBuf);
BAIL_ON_MAC_ERROR(dwError);
} else {
dwError = ReadNextLine(fp, &szBuf, &bEOF);
BAIL_ON_MAC_ERROR(dwError);
}
LwStripWhitespace(szBuf, TRUE, TRUE);
if (!(dwLen=strlen(szBuf)))
continue;
/* Skip comments for now */
if (szBuf[0] == '#' ||
szBuf[0] == ';')
continue;
if (szBuf[0] == '[' &&
szBuf[dwLen-1] == ']') {
if (pSection) {
pSection->pNext = pSectionList;
pSectionList = pSection;
pSection = NULL;
}
dwError = LwAllocateMemory(sizeof(CFGSECTION), (PVOID*)&pSection);
BAIL_ON_MAC_ERROR(dwError);
szBuf[dwLen-1] = '\0';
dwError = LwAllocateString(szBuf+1, &pSection->pszName);
BAIL_ON_MAC_ERROR(dwError);
LwStripWhitespace(pSection->pszName, TRUE, TRUE);
} else {
if (!pSection) {
dwError = MAC_AD_ERROR_NO_SUCH_ATTRIBUTE;
BAIL_ON_MAC_ERROR(dwError);
}
if ((pszTmp = strchr(szBuf, '=')) == NULL) {
continue;
}
if (pszTmp == szBuf) {
dwError = MAC_AD_ERROR_INVALID_TAG;
BAIL_ON_MAC_ERROR(dwError);
}
dwError = LwAllocateMemory(pszTmp-szBuf+1, (PVOID*)&pszName);
BAIL_ON_MAC_ERROR(dwError);
strncpy(pszName, szBuf, pszTmp-szBuf);
pszTmp++;
while (*pszTmp != '\0' && isspace((int)*pszTmp))
pszTmp++;
if (*pszTmp != '\0') {
dwError = LwAllocateString(pszTmp, &pszValue);
BAIL_ON_MAC_ERROR(dwError);
}
dwError = LwAllocateMemory(sizeof(NVPAIR), (PVOID*)&pNVPair);
BAIL_ON_MAC_ERROR(dwError);
LwStripWhitespace(pszName, TRUE, TRUE);
LwStripWhitespace(pszValue, TRUE, TRUE);
pNVPair->pszName = pszName; pszName = NULL;
pNVPair->pszValue = pszValue; pszValue = NULL;
pNVPair->pNext = pSection->pNVPairList;
pSection->pNVPairList = pNVPair;
pNVPair = NULL;
}
}
if (pSection) {
pSection->pNext = pSectionList;
pSectionList = pSection;
pSection = NULL;
}
pSectionList = ReverseSectionsAndNVPairs(pSectionList);
*ppCfgSectionList = pSectionList;
fclose(fp); fp = NULL;
cleanup:
LW_SAFE_FREE_STRING(szBuf);
if (fp) {
fclose(fp);
}
LW_SAFE_FREE_STRING(pszName);
LW_SAFE_FREE_STRING(pszValue);
return dwError;
error:
*ppCfgSectionList = NULL;
if (pSectionList)
{
LWFreeConfigSectionList(pSectionList);
}
if (pSection)
{
LWFreeSection(pSection);
}
if (pNVPair)
{
LWFreeNVPair(pNVPair);
}
goto cleanup;
}
DWORD
ADUKrb5GetUserCachePathAndSID(
PCSTR pszUserUPN,
PSTR* ppszCachePath,
PSTR* ppszHomeDirPath,
PSTR* ppszSID,
uid_t* pUid
)
{
DWORD dwError = 0;
char szPath[PATH_MAX];
PSTR pszCachePath = NULL;
PSTR pszHomeDirPath = NULL;
PSTR pszSID = NULL;
HANDLE hLsaConnection = (HANDLE) NULL;
PLSA_USER_INFO_0 pUserInfo_0 = NULL;
dwError = LsaOpenServer(&hLsaConnection);
BAIL_ON_MAC_ERROR(dwError);
dwError = LsaFindUserByName(hLsaConnection, pszUserUPN, 0, (PVOID*) &pUserInfo_0);
BAIL_ON_MAC_ERROR(dwError);
memset(szPath, 0, sizeof(szPath));
sprintf(szPath, "FILE:/tmp/krb5cc_%ld",(long)pUserInfo_0->uid);
dwError = LwAllocateString(szPath, &pszCachePath);
BAIL_ON_MAC_ERROR(dwError);
dwError = LwAllocateString(pUserInfo_0->pszSid, &pszSID);
BAIL_ON_MAC_ERROR(dwError);
dwError = LwAllocateString(pUserInfo_0->pszHomedir, &pszHomeDirPath);
BAIL_ON_MAC_ERROR(dwError);
if (ppszCachePath)
{
*ppszCachePath = pszCachePath;
pszCachePath = NULL;
}
if (ppszSID)
{
*ppszSID = pszSID;
pszSID = NULL;
}
if (ppszHomeDirPath)
{
*ppszHomeDirPath = pszHomeDirPath;
pszHomeDirPath = NULL;
}
if (pUid)
{
*pUid = pUserInfo_0->uid;
}
cleanup:
if (pszCachePath)
LwFreeString(pszCachePath);
if (pszSID)
LwFreeString(pszSID);
if (pszHomeDirPath)
LwFreeString(pszHomeDirPath);
if (pUserInfo_0)
LsaFreeUserInfo(0, pUserInfo_0);
if (hLsaConnection != (HANDLE)NULL)
LsaCloseServer(hLsaConnection);
return dwError;
error:
if (ppszCachePath)
*ppszCachePath = NULL;
if (ppszSID)
*ppszSID = NULL;
if (ppszHomeDirPath)
*ppszHomeDirPath = NULL;
if (pUid)
*pUid = -1;
goto cleanup;
}
DWORD
ADUCrackFileSysPath(
PCSTR pszFileSysPath,
PSTR * ppszDomainName,
PSTR * ppszSourcePath,
PSTR * ppszPolicyIdentifier
)
{
DWORD dwError = 0;
PSTR pTemp = NULL;
char szDomainName[256];
char szPolicyId[256];
PSTR pSysVol = NULL;
PSTR pPolicy = NULL;
PSTR pszDomainName = NULL;
PSTR pszSourcePath = NULL;
PSTR pszPolicyIdentifier = NULL;
pTemp = (PSTR)pszFileSysPath + 2;
pSysVol = strchr(pTemp, '\\');
/* TODO: make sure pSysVol points to \\sysvol\\ */
memset(szDomainName, 0, sizeof(szDomainName));
strncpy(szDomainName, pTemp, pSysVol - pTemp);
szDomainName[pSysVol - pTemp] = 0;
dwError = LwAllocateString(szDomainName, &pszDomainName);
BAIL_ON_MAC_ERROR(dwError);
dwError = LwAllocateString(pSysVol + sizeof("\\sysvol\\") - 1, &pszSourcePath);
BAIL_ON_MAC_ERROR(dwError);
pTemp = pSysVol + sizeof("\\sysvol\\");
pPolicy = strchr(pTemp, '{');
/* TODO: make sure pPolicy points to end of \\sysvol\\{ */
if ( pPolicy && strlen(pPolicy) >= 38 ) {
strcpy(szPolicyId, pPolicy);
szPolicyId[38] = 0;
} else {
dwError = MAC_AD_ERROR_INVALID_ATTRIBUTE_TYPE;
BAIL_ON_MAC_ERROR(dwError);
}
dwError = LwAllocateString(szPolicyId, &pszPolicyIdentifier);
BAIL_ON_MAC_ERROR(dwError);
*ppszDomainName = pszDomainName;
*ppszSourcePath = pszSourcePath;
*ppszPolicyIdentifier = pszPolicyIdentifier;
return dwError;
cleanup:
LW_SAFE_FREE_STRING(pszDomainName);
LW_SAFE_FREE_STRING(pszSourcePath);
LW_SAFE_FREE_STRING(pszPolicyIdentifier);
*ppszDomainName = NULL;
*ppszSourcePath = NULL;
*ppszPolicyIdentifier = NULL;
return dwError;
error:
goto cleanup;
}
DWORD
CacheUserLoginMessage(
PSTR pszHomeDirPath,
PSTR pszMessage
)
{
DWORD dwError = MAC_AD_ERROR_SUCCESS;
PSTR pszFileDir = NULL;
PSTR pszFilePath = NULL;
BOOLEAN bDirExists = FALSE;
FILE * fp = NULL;
int len = 0;
if (!pszMessage || strlen(pszMessage) == 0)
{
goto error;
}
if (!pszHomeDirPath || strlen(pszHomeDirPath) == 0)
{
goto error;
}
LOG("Saving user login message to [homedir: %s]", pszHomeDirPath);
dwError = LwAllocateStringPrintf(&pszFileDir, "%s/Library/Preferences", pszHomeDirPath);
BAIL_ON_MAC_ERROR(dwError);
dwError = LwAllocateStringPrintf(&pszFilePath, "%s/login-message", pszFileDir);
BAIL_ON_MAC_ERROR(dwError);
dwError = LwCheckFileTypeExists(pszFileDir, LWFILE_DIRECTORY, &bDirExists);
BAIL_ON_MAC_ERROR(dwError);
if (bDirExists == FALSE)
{
dwError = LwCreateDirectory(pszFileDir, S_IRUSR|S_IRGRP|S_IROTH);
BAIL_ON_MAC_ERROR(dwError);
}
fp = fopen(pszFilePath, "w");
if (fp)
{
len = fwrite(pszMessage, sizeof(char), strlen(pszMessage), fp);
if (len < strlen(pszMessage))
{
dwError = ENOMEM;
BAIL_ON_MAC_ERROR(dwError);
}
}
error:
LW_SAFE_FREE_STRING(pszFilePath);
LW_SAFE_FREE_STRING(pszFileDir);
if (fp)
{
fclose(fp);
}
return dwError;
}
DWORD
CollectCurrentADAttributesForUser(
PSTR pszUserUPN,
PSTR pszUserDomain,
PSTR pszMessage,
BOOLEAN bOnlineLogon
)
{
DWORD dwError = MAC_AD_ERROR_SUCCESS;
PGPUSER_AD_ATTRS pUserADAttrs = NULL;
PADU_CRED_CONTEXT pCredContext = NULL;
BOOLEAN bDeactivateCredContext = FALSE;
PSTR pszOrigCachePath = NULL;
HANDLE hDirectory = (HANDLE)NULL;
dwError = ADUBuildCredContext(
NULL,
pszUserUPN,
bOnlineLogon,
&pCredContext);
BAIL_ON_MAC_ERROR(dwError);
/* Update user logon message which is accessed and reported with LoginHook script */
dwError = CacheUserLoginMessage(pCredContext->pszHomeDirPath, pszMessage);
BAIL_ON_MAC_ERROR(dwError);
if (bOnlineLogon)
{
LOG("Connecting to AD using these credentials: path: %s, user: %s, domain: %s", pCredContext->pszCachePath, pszUserUPN, pszUserDomain);
/* Set default credentials to the user's */
dwError = ADUInitKrb5(pszUserDomain);
BAIL_ON_MAC_ERROR(dwError);
dwError = ADUKrb5SetDefaultCachePath(
pCredContext->pszCachePath,
&pszOrigCachePath);
BAIL_ON_MAC_ERROR(dwError);
dwError = ADUActivateCredContext(pCredContext);
BAIL_ON_MAC_ERROR(dwError);
bDeactivateCredContext = TRUE;
dwError = ADUOpenLwLdapDirectory(pszUserDomain, &hDirectory);
BAIL_ON_MAC_ERROR(dwError);
dwError = GetUserAttributes(hDirectory,
pCredContext->pszSID,
pszUserDomain,
&pUserADAttrs);
if (dwError)
{
LOG("Error (%d) while reading user AD attributes from domain DC", dwError);
BAIL_ON_MAC_ERROR(dwError);
}
dwError = CacheUserAttributes(pCredContext->uid, pUserADAttrs);
if (dwError)
{
LOG("Error (%d) while saving user AD attributes to cache", dwError);
BAIL_ON_MAC_ERROR(dwError);
}
dwError = FlushDirectoryServiceCache();
if (dwError)
{
LOG("Failed to flush the Mac DirectoryService cache. Error: %d", dwError);
BAIL_ON_MAC_ERROR(dwError);
}
}
else
{
LOG("Offline logon, can't refresh AD user attributes for: user: %s, domain: %s", pszUserUPN, pszUserDomain);
}
cleanup:
FreeUserAttributes(pUserADAttrs);
if (hDirectory != (HANDLE)NULL)
{
LwLdapCloseDirectory(hDirectory);
}
if (pCredContext)
{
if (bDeactivateCredContext)
{
ADUDeactivateCredContext(pCredContext);
}
ADUFreeCredContext(pCredContext);
}
if (pszOrigCachePath)
{
DWORD dwError2 = ADUKrb5SetDefaultCachePath(pszOrigCachePath, NULL);
if (dwError2)
{
LOG_ERROR("Failed to revert kerberos cache path [code:%d]", dwError2);
}
LwFreeMemory(pszOrigCachePath);
}
return LWGetMacError(dwError);
error:
goto cleanup;
}
DWORD
ADUInitKrb5(
PCSTR pszDomainName
)
{
DWORD dwError = 0;
CHAR szKrb5HostName[PATH_MAX];
PSTR pszKrb5CachePath = NULL;
DWORD dwTicketExpiryTime = 0;
char * szLocal = NULL;
char * szDot = NULL;
unsigned int len = 0;
BOOLEAN bInLock = FALSE;
ENTER_KRB5_LOCK(bInLock);
if (ADUKrb5TicketHasExpired()) {
memset(szKrb5HostName, 0, sizeof(szKrb5HostName));
if (gethostname(szKrb5HostName, sizeof(szKrb5HostName)) != 0)
{
dwError = MAC_AD_ERROR_INVALID_NAME;;
BAIL_ON_MAC_ERROR(dwError);
}
len = strlen(szKrb5HostName);
if ( len > strlen(".local") )
{
szLocal = &szKrb5HostName[len - strlen(".local")];
if ( !strcasecmp( szLocal, ".local" ) )
{
szLocal[0] = '\0';
}
}
/* Test to see if the name is still dotted. If so we will chop it down to
just the hostname field. */
szDot = strchr(szKrb5HostName, '.');
if ( szDot )
{
szDot[0] = '\0';
}
strcat(szKrb5HostName, "$@");
strcat(szKrb5HostName, pszDomainName);
ADUStrToUpper(szKrb5HostName);
dwError = ADUKrb5GetSystemCachePath(&pszKrb5CachePath);
BAIL_ON_MAC_ERROR(dwError);
dwError = ADUKerb5GetTGTFromKeytab(szKrb5HostName, NULL, pszKrb5CachePath, &dwTicketExpiryTime);
BAIL_ON_MAC_ERROR(dwError);
gdwKrbTicketExpiryTime = dwTicketExpiryTime;
}
cleanup:
LEAVE_KRB5_LOCK(bInLock);
return dwError;
error:
goto cleanup;
}
DWORD
LWSetConfigValueBySection(
PCFGSECTION pSection,
PCSTR pszName,
PCSTR pszValue
)
{
DWORD dwError = 0;
PNVPAIR pNVPair = NULL;
PNVPAIR pTmpNVPair = NULL;
pTmpNVPair = pSection->pNVPairList;
while (pTmpNVPair) {
if (!strcmp(pTmpNVPair->pszName, pszName)) {
pNVPair = pTmpNVPair;
break;
}
pTmpNVPair = pTmpNVPair->pNext;
}
if (pNVPair == NULL) {
dwError = LwAllocateMemory(sizeof(NVPAIR), (PVOID*)&pNVPair);
BAIL_ON_MAC_ERROR(dwError);
dwError = LwAllocateString(pszName, &pNVPair->pszName);
BAIL_ON_MAC_ERROR(dwError);
LwStripWhitespace(pNVPair->pszName, TRUE, TRUE);
if (!IsNullOrEmptyString(pszValue)) {
dwError = LwAllocateString(pszValue, &pNVPair->pszValue);
BAIL_ON_MAC_ERROR(dwError);
}
if (!pSection->pNVPairList) {
pSection->pNVPairList = pNVPair;
pNVPair = NULL;
} else {
pTmpNVPair = pSection->pNVPairList;
while (pTmpNVPair->pNext != NULL)
pTmpNVPair = pTmpNVPair->pNext;
pTmpNVPair->pNext = pNVPair;
pNVPair = NULL;
}
} else {
if (pNVPair->pszValue) {
LW_SAFE_FREE_STRING(pNVPair->pszValue);
pNVPair->pszValue = NULL;
if (!IsNullOrEmptyString(pszValue)) {
dwError = LwAllocateString(pszValue, &pNVPair->pszValue);
BAIL_ON_MAC_ERROR(dwError);
}
}
}
cleanup:
return dwError;
error:
if (pNVPair) {
LWFreeNVPair(pNVPair);
}
goto cleanup;
}
DWORD
ADUGetMCXPolicy(
HANDLE hDirectory,
PCSTR pszDN,
PCSTR pszGPOName,
PGROUP_POLICY_OBJECT * ppGPO
)
{
DWORD dwError = MAC_AD_ERROR_SUCCESS;
PSTR szAttributeList[] = { "distinguishedName", NULL };
char szQuery[512] = {0};
PGROUP_POLICY_OBJECT pGPObject = NULL;
LDAPMessage* pMessage = NULL;
DWORD dwCount = 0;
PSTR pszValue = NULL;
sprintf(szQuery, "(&(objectclass=groupPolicyContainer)(%s=%s))", ADU_DISPLAY_NAME_ATTR, pszGPOName);
dwError = LwLdapDirectorySearch(
hDirectory,
pszDN,
LDAP_SCOPE_ONELEVEL,
szQuery,
szAttributeList,
&pMessage);
BAIL_ON_MAC_ERROR(dwError);
dwError = LwLdapCountEntries(
hDirectory,
pMessage,
&dwCount
);
BAIL_ON_MAC_ERROR(dwError);
if (dwCount < 0) {
dwError = MAC_AD_ERROR_NO_SUCH_POLICY;
} else if (dwCount == 0) {
dwError = MAC_AD_ERROR_NO_SUCH_POLICY;
} else if (dwCount > 1) {
dwError = MAC_AD_ERROR_NO_SUCH_POLICY;
}
BAIL_ON_MAC_ERROR(dwError);
dwError = LwLdapGetString(hDirectory,
pMessage,
"distinguishedName",
&pszValue);
BAIL_ON_MAC_ERROR(dwError);
dwError = LwAllocateMemory(sizeof(GROUP_POLICY_OBJECT), (PVOID*)&pGPObject);
BAIL_ON_MAC_ERROR(dwError);
pGPObject->pszPolicyDN = pszValue;
pszValue = NULL;
*ppGPO = pGPObject;
pGPObject = NULL;
cleanup:
if (pMessage) {
ldap_msgfree(pMessage);
}
LW_SAFE_FREE_STRING(pszValue);
ADU_SAFE_FREE_GPO_LIST (pGPObject);
return dwError;
error:
if (ppGPO)
*ppGPO = NULL;
goto cleanup;
}
DWORD
ADUGetPolicyInformation(
HANDLE hDirectory,
PCSTR pszPolicyDN,
PGROUP_POLICY_OBJECT pGroupPolicyObject
)
{
DWORD dwError = MAC_AD_ERROR_SUCCESS;
PSTR szAttributeList[] =
{ADU_DISPLAY_NAME_ATTR,
ADU_FLAGS_ATTR,
ADU_FILESYS_PATH_ATTR,
ADU_FUNCTIONALITY_VERSION_ATTR,
ADU_MACHINE_EXTENSION_NAMES_ATTR,
ADU_USER_EXTENSION_NAMES_ATTR,
ADU_WQL_FILTER_ATTR,
ADU_VERSION_NUMBER_ATTR,
NULL
};
LDAPMessage* pMessage = NULL;
DWORD dwCount = 0;
PSTR pszValue = NULL;
DWORD dwValue = 0;
dwError = LwLdapDirectorySearch(
hDirectory,
pszPolicyDN,
LDAP_SCOPE_BASE,
(PSTR)"(objectclass=*)",
szAttributeList,
&pMessage);
BAIL_ON_MAC_ERROR(dwError);
dwError = LwLdapCountEntries(
hDirectory,
pMessage,
&dwCount
);
BAIL_ON_MAC_ERROR(dwError);
if (dwCount < 0) {
dwError = MAC_AD_ERROR_NO_SUCH_POLICY;
} else if (dwCount == 0) {
dwError = MAC_AD_ERROR_NO_SUCH_POLICY;
} else if (dwCount > 1) {
dwError = MAC_AD_ERROR_NO_SUCH_POLICY;
}
BAIL_ON_MAC_ERROR(dwError);
dwError = LwLdapGetString(hDirectory,
pMessage,
ADU_DISPLAY_NAME_ATTR,
&pszValue);
BAIL_ON_MAC_ERROR(dwError);
pGroupPolicyObject->pszDisplayName = pszValue;
pszValue = NULL;
dwError = LwLdapGetUInt32(hDirectory,
pMessage,
ADU_FLAGS_ATTR,
&dwValue);
BAIL_ON_MAC_ERROR(dwError);
pGroupPolicyObject->dwFlags = dwValue;
dwError = LwLdapGetString(hDirectory,
pMessage,
ADU_FILESYS_PATH_ATTR,
&pszValue);
BAIL_ON_MAC_ERROR(dwError);
pGroupPolicyObject->pszgPCFileSysPath = pszValue;
pszValue = NULL;
dwError = LwLdapGetUInt32(hDirectory,
pMessage,
ADU_FUNCTIONALITY_VERSION_ATTR,
&dwValue);
BAIL_ON_MAC_ERROR(dwError);
pGroupPolicyObject->gPCFunctionalityVersion = dwValue;
dwError = LwLdapGetString(hDirectory,
pMessage,
ADU_MACHINE_EXTENSION_NAMES_ATTR,
&pszValue);
if (dwError == LW_ERROR_INVALID_LDAP_ATTR_VALUE)
{
dwError = 0;
}
BAIL_ON_MAC_ERROR(dwError);
pGroupPolicyObject->pszgPCMachineExtensionNames = pszValue;
pszValue = NULL;
dwError = LwLdapGetString(hDirectory,
pMessage,
ADU_USER_EXTENSION_NAMES_ATTR,
&pszValue);
if (dwError == LW_ERROR_INVALID_LDAP_ATTR_VALUE)
{
dwError = 0;
}
BAIL_ON_MAC_ERROR(dwError);
pGroupPolicyObject->pszgPCUserExtensionNames = pszValue;
pszValue = NULL;
dwError = LwLdapGetUInt32(hDirectory,
pMessage,
ADU_VERSION_NUMBER_ATTR,
&dwValue);
BAIL_ON_MAC_ERROR(dwError);
pGroupPolicyObject->dwVersion = dwValue;
cleanup:
LW_SAFE_FREE_STRING(pszValue);
if (pMessage) {
ldap_msgfree(pMessage);
}
return dwError;
error:
LOG_ERROR("Failed to find policy or read GPO attributes for policy (%s)", pszPolicyDN);
goto cleanup;
}
DWORD
ADUGetAllMCXPolicies(
HANDLE hDirectory,
PCSTR pszDN,
PGROUP_POLICY_OBJECT * ppGroupPolicyObjects
)
{
DWORD dwError = MAC_AD_ERROR_SUCCESS;
PSTR szAttributeList[] = { "distinguishedName", NULL };
PGROUP_POLICY_OBJECT pGPObjectList = NULL;
PGROUP_POLICY_OBJECT pGPObject = NULL;
LDAPMessage* pMessage = NULL;
LDAPMessage* pLDAPMessage = NULL;
DWORD dwCount = 0;
PSTR pszValue = NULL;
dwError = LwLdapDirectorySearch(
hDirectory,
pszDN,
LDAP_SCOPE_ONELEVEL,
(PSTR)"(&(objectclass=groupPolicyContainer)(|(gPCMachineExtensionNames=*{B9BF896E-F9EB-49B5-8E67-11E2EDAED06C}*)(gPCUserExtensionNames=*{07E500C4-20FD-4829-8F38-B5FF63FA0493}*)))",
szAttributeList,
&pMessage);
BAIL_ON_MAC_ERROR(dwError);
dwError = LwLdapCountEntries(
hDirectory,
pMessage,
&dwCount
);
BAIL_ON_MAC_ERROR(dwError);
if (dwCount > 0)
{
pLDAPMessage = LwLdapFirstEntry(hDirectory, pMessage);
}
while(pLDAPMessage != NULL)
{
dwError = LwLdapGetString(hDirectory,
pLDAPMessage,
"distinguishedName",
&pszValue);
BAIL_ON_MAC_ERROR(dwError);
dwError = LwAllocateMemory(sizeof(GROUP_POLICY_OBJECT), (PVOID*)&pGPObject);
BAIL_ON_MAC_ERROR(dwError);
pGPObject->pszPolicyDN = pszValue;
pszValue = NULL;
if (pGPObjectList != NULL)
{
pGPObject->pNext = pGPObjectList;
pGPObjectList = pGPObject;
}
else
{
pGPObjectList = pGPObject;
}
pGPObject = NULL;
pLDAPMessage = LwLdapNextEntry(hDirectory, pLDAPMessage);
}
if (*ppGroupPolicyObjects != NULL)
{
(*ppGroupPolicyObjects)->pNext = pGPObjectList;
}
else
{
*ppGroupPolicyObjects = pGPObjectList;
}
if (pMessage)
{
ldap_msgfree(pMessage);
}
if (pLDAPMessage)
{
ldap_msgfree(pLDAPMessage);
}
return dwError;
cleanup:
if (pMessage)
{
ldap_msgfree(pMessage);
}
if (pLDAPMessage)
{
ldap_msgfree(pLDAPMessage);
}
LW_SAFE_FREE_STRING(pszValue);
ADU_SAFE_FREE_GPO_LIST (pGPObject);
ADU_SAFE_FREE_GPO_LIST (pGPObjectList);
return dwError;
error:
if (ppGroupPolicyObjects)
*ppGroupPolicyObjects = NULL;
goto cleanup;
}
DWORD
CacheUserAttributes(
uid_t uid,
PGPUSER_AD_ATTRS pUserADAttrs
)
{
DWORD dwError = MAC_AD_ERROR_SUCCESS;
PSTR pszFileDir = NULL;
PSTR pszFilePath = NULL;
PCFGSECTION pUserSettingsList = NULL;
PCFGSECTION pADSection_Name = NULL;
PCFGSECTION pADSection_EMail = NULL;
PCFGSECTION pADSection_Phone = NULL;
PCFGSECTION pADSection_Address = NULL;
PCFGSECTION pADSection_Work = NULL;
PCFGSECTION pADSection_Network = NULL;
BOOLEAN bDirExists = FALSE;
LOG("Saving user attributes to user logon cache [uid: %ld, display name: %s]",
(long)uid,
pUserADAttrs->pszDisplayName ? pUserADAttrs->pszDisplayName : "<null>");
dwError = LwAllocateStringPrintf(&pszFileDir, "/var/lib/pbis/lwedsplugin/user-cache/%ld", (long) uid);
BAIL_ON_MAC_ERROR(dwError);
dwError = LwAllocateStringPrintf(&pszFilePath, "/var/lib/pbis/lwedsplugin/user-cache/%ld/ad-user-attrs", (long) uid);
BAIL_ON_MAC_ERROR(dwError);
dwError = LwCheckFileTypeExists(pszFileDir, LWFILE_DIRECTORY, &bDirExists);
BAIL_ON_MAC_ERROR(dwError);
if (bDirExists == FALSE)
{
dwError = LwCreateDirectory(pszFileDir, S_IRUSR|S_IRGRP|S_IROTH);
BAIL_ON_MAC_ERROR(dwError);
}
dwError = LWCreateConfigSection(&pUserSettingsList,
&pADSection_Name,
"User AD Name Attributes");
BAIL_ON_MAC_ERROR(dwError);
dwError = LWCreateConfigSection(&pADSection_EMail,
&pADSection_EMail,
"User AD EMail Attributes");
BAIL_ON_MAC_ERROR(dwError);
dwError = LWCreateConfigSection(&pADSection_Phone,
&pADSection_Phone,
"User AD Phone Attributes");
BAIL_ON_MAC_ERROR(dwError);
dwError = LWCreateConfigSection(&pADSection_Address,
&pADSection_Address,
"User AD Address Attributes");
BAIL_ON_MAC_ERROR(dwError);
dwError = LWCreateConfigSection(&pADSection_Work,
&pADSection_Work,
"User AD Work Attributes");
BAIL_ON_MAC_ERROR(dwError);
dwError = LWCreateConfigSection(&pADSection_Network,
&pADSection_Network,
"User AD Network Settings Attributes");
BAIL_ON_MAC_ERROR(dwError);
pADSection_Name->pNext = pADSection_EMail;
pADSection_EMail->pNext = pADSection_Phone;
pADSection_Phone->pNext = pADSection_Address;
pADSection_Address->pNext = pADSection_Work;
pADSection_Work->pNext = pADSection_Network;
if (pUserADAttrs->pszDisplayName)
{
dwError = LWSetConfigValueBySection(pUserSettingsList,
"displayName",
pUserADAttrs->pszDisplayName);
BAIL_ON_MAC_ERROR(dwError);
}
if (pUserADAttrs->pszFirstName)
{
dwError = LWSetConfigValueBySection(pADSection_Name,
"givenName",
pUserADAttrs->pszFirstName);
BAIL_ON_MAC_ERROR(dwError);
}
if (pUserADAttrs->pszLastName)
{
dwError = LWSetConfigValueBySection(pADSection_Name,
"sn",
pUserADAttrs->pszLastName);
BAIL_ON_MAC_ERROR(dwError);
}
if (pUserADAttrs->pszADDomain)
{
dwError = LWSetConfigValueBySection(pADSection_Name,
"userDomain",
pUserADAttrs->pszADDomain);
BAIL_ON_MAC_ERROR(dwError);
}
if (pUserADAttrs->pszKerberosPrincipal)
{
dwError = LWSetConfigValueBySection(pADSection_Name,
"userPrincipalName",
pUserADAttrs->pszKerberosPrincipal);
BAIL_ON_MAC_ERROR(dwError);
}
if (pUserADAttrs->pszEMailAddress)
{
dwError = LWSetConfigValueBySection(pADSection_EMail,
"mail",
pUserADAttrs->pszEMailAddress);
BAIL_ON_MAC_ERROR(dwError);
}
if (pUserADAttrs->pszMSExchHomeServerName)
{
dwError = LWSetConfigValueBySection(pADSection_EMail,
"msExchHomeServerName",
pUserADAttrs->pszMSExchHomeServerName);
BAIL_ON_MAC_ERROR(dwError);
}
if (pUserADAttrs->pszMSExchHomeMDB)
{
dwError = LWSetConfigValueBySection(pADSection_EMail,
"homeMDB",
pUserADAttrs->pszMSExchHomeMDB);
BAIL_ON_MAC_ERROR(dwError);
}
if (pUserADAttrs->pszTelephoneNumber)
{
dwError = LWSetConfigValueBySection(pADSection_Phone,
"telephoneNumber",
pUserADAttrs->pszTelephoneNumber);
BAIL_ON_MAC_ERROR(dwError);
}
if (pUserADAttrs->pszFaxTelephoneNumber)
{
dwError = LWSetConfigValueBySection(pADSection_Phone,
"facsimileTelephoneNumber",
pUserADAttrs->pszFaxTelephoneNumber);
BAIL_ON_MAC_ERROR(dwError);
}
if (pUserADAttrs->pszMobileTelephoneNumber)
{
dwError = LWSetConfigValueBySection(pADSection_Phone,
"mobile",
pUserADAttrs->pszMobileTelephoneNumber);
BAIL_ON_MAC_ERROR(dwError);
}
if (pUserADAttrs->pszStreetAddress)
{
dwError = LWSetConfigValueBySection(pADSection_Address,
"streetAddress",
pUserADAttrs->pszStreetAddress);
BAIL_ON_MAC_ERROR(dwError);
}
if (pUserADAttrs->pszPostOfficeBox)
{
dwError = LWSetConfigValueBySection(pADSection_Address,
"postOfficeBox",
pUserADAttrs->pszPostOfficeBox);
BAIL_ON_MAC_ERROR(dwError);
}
if (pUserADAttrs->pszCity)
{
dwError = LWSetConfigValueBySection(pADSection_Address,
"l",
pUserADAttrs->pszCity);
BAIL_ON_MAC_ERROR(dwError);
}
if (pUserADAttrs->pszState)
{
dwError = LWSetConfigValueBySection(pADSection_Address,
"st",
pUserADAttrs->pszState);
BAIL_ON_MAC_ERROR(dwError);
}
if (pUserADAttrs->pszPostalCode)
{
dwError = LWSetConfigValueBySection(pADSection_Address,
"postalCode",
pUserADAttrs->pszPostalCode);
BAIL_ON_MAC_ERROR(dwError);
}
if (pUserADAttrs->pszCountry)
{
dwError = LWSetConfigValueBySection(pADSection_Address,
"co",
pUserADAttrs->pszCountry);
BAIL_ON_MAC_ERROR(dwError);
}
if (pUserADAttrs->pszTitle)
{
dwError = LWSetConfigValueBySection(pADSection_Work,
"title",
pUserADAttrs->pszTitle);
BAIL_ON_MAC_ERROR(dwError);
}
if (pUserADAttrs->pszCompany)
{
dwError = LWSetConfigValueBySection(pADSection_Work,
"company",
pUserADAttrs->pszCompany);
BAIL_ON_MAC_ERROR(dwError);
}
if (pUserADAttrs->pszDepartment)
{
dwError = LWSetConfigValueBySection(pADSection_Work,
"department",
pUserADAttrs->pszDepartment);
BAIL_ON_MAC_ERROR(dwError);
}
if (pUserADAttrs->pszHomeDirectory)
{
dwError = LWSetConfigValueBySection(pADSection_Network,
"homeDirectory",
pUserADAttrs->pszHomeDirectory);
BAIL_ON_MAC_ERROR(dwError);
}
if (pUserADAttrs->pszHomeDrive)
{
dwError = LWSetConfigValueBySection(pADSection_Network,
"homeDrive",
pUserADAttrs->pszHomeDrive);
BAIL_ON_MAC_ERROR(dwError);
}
if (pUserADAttrs->pszPasswordLastSet)
{
dwError = LWSetConfigValueBySection(pADSection_Network,
"pwdLastSet",
pUserADAttrs->pszPasswordLastSet);
BAIL_ON_MAC_ERROR(dwError);
}
if (pUserADAttrs->pszUserAccountControl)
{
dwError = LWSetConfigValueBySection(pADSection_Network,
"userAccountControl",
pUserADAttrs->pszUserAccountControl);
BAIL_ON_MAC_ERROR(dwError);
}
if (pUserADAttrs->pszMaxMinutesUntilChangePassword)
{
dwError = LWSetConfigValueBySection(pADSection_Network,
"maxPwdAge",
pUserADAttrs->pszMaxMinutesUntilChangePassword);
BAIL_ON_MAC_ERROR(dwError);
}
if (pUserADAttrs->pszMinMinutesUntilChangePassword)
{
dwError = LWSetConfigValueBySection(pADSection_Network,
"minPwdAge",
pUserADAttrs->pszMinMinutesUntilChangePassword);
BAIL_ON_MAC_ERROR(dwError);
}
if (pUserADAttrs->pszMaxFailedLoginAttempts)
{
dwError = LWSetConfigValueBySection(pADSection_Network,
"lockoutThreshhold",
pUserADAttrs->pszMaxFailedLoginAttempts);
BAIL_ON_MAC_ERROR(dwError);
}
if (pUserADAttrs->pszAllowedPasswordHistory)
{
dwError = LWSetConfigValueBySection(pADSection_Network,
"pwdHistoryLength",
pUserADAttrs->pszAllowedPasswordHistory);
BAIL_ON_MAC_ERROR(dwError);
}
if (pUserADAttrs->pszMinCharsAllowedInPassword)
{
dwError = LWSetConfigValueBySection(pADSection_Network,
"minPwdLength",
pUserADAttrs->pszMinCharsAllowedInPassword);
BAIL_ON_MAC_ERROR(dwError);
}
dwError = LWSaveConfigSectionList(pszFilePath, pUserSettingsList);
BAIL_ON_MAC_ERROR(dwError);
error:
LW_SAFE_FREE_STRING(pszFilePath);
LW_SAFE_FREE_STRING(pszFileDir);
LWFreeConfigSectionList(pUserSettingsList);
pUserSettingsList = NULL;
return dwError;
}
static
DWORD
ADUKerb5GetTGTFromKeytab(
char *szUserName,
char *szPassword,
char *pszCachePath,
PDWORD pdwGoodUntilTime
)
{
DWORD dwError = 0;
krb5_error_code ret = 0;
krb5_context ctx = NULL;
krb5_creds creds = { 0 };
krb5_ccache cc = NULL;
krb5_keytab keytab = 0;
krb5_principal client_principal = NULL;
dwError = ADUKerb5DestroyCache(pszCachePath);
BAIL_ON_MAC_ERROR(dwError);
dwError = LWNetExtendEnvironmentForKrb5Affinity(TRUE);
BAIL_ON_MAC_ERROR(dwError);
ret = krb5_init_context(&ctx);
BAIL_ON_KRB_ERROR(ctx, ret);
ret = krb5_parse_name(ctx, szUserName, &client_principal);
BAIL_ON_KRB_ERROR(ctx, ret);
/* use krb5_cc_resolve to get an alternate cache */
ret = krb5_cc_resolve(ctx, pszCachePath, &cc);
BAIL_ON_KRB_ERROR(ctx, ret);
ret = krb5_kt_default(ctx, &keytab);
BAIL_ON_KRB_ERROR(ctx, ret);
ret = krb5_get_init_creds_keytab(
ctx,
&creds,
client_principal,
keytab,
0, /* start time */
NULL, /* in_tkt_service */
NULL /* options */
);
BAIL_ON_KRB_ERROR(ctx, ret);
ret = krb5_cc_initialize(ctx, cc, client_principal);
BAIL_ON_KRB_ERROR(ctx, ret);
ret = krb5_cc_store_cred(ctx, cc, &creds);
BAIL_ON_KRB_ERROR(ctx, ret);
*pdwGoodUntilTime = creds.times.endtime;
error:
if (creds.client == client_principal) {
creds.client = NULL;
}
if (ctx) {
if (client_principal) {
krb5_free_principal(ctx, client_principal);
}
if (keytab) {
krb5_kt_close(ctx, keytab);
}
if (cc) {
krb5_cc_close(ctx, cc);
}
krb5_free_cred_contents(ctx, &creds);
krb5_free_context(ctx);
}
return(dwError);
}