static ADS_STATUS ads_sasl_gssapi_bind(ADS_STRUCT *ads)
{
ADS_STATUS status;
struct ads_service_principal p;
status = ads_generate_service_principal(ads, &p);
if (!ADS_ERR_OK(status)) {
return status;
}
if (ads->auth.password == NULL ||
ads->auth.password[0] == '\0') {
status = ads_sasl_gssapi_do_bind(ads, p.name);
if (ADS_ERR_OK(status)) {
ads_free_service_principal(&p);
return status;
}
DEBUG(10,("ads_sasl_gssapi_do_bind failed with: %s, "
"calling kinit\n", ads_errstr(status)));
}
status = ADS_ERROR_KRB5(ads_kinit_password(ads));
if (ADS_ERR_OK(status)) {
status = ads_sasl_gssapi_do_bind(ads, p.name);
}
ads_free_service_principal(&p);
return status;
}
static int ads_group_delete(int argc, const char **argv)
{
ADS_STRUCT *ads;
ADS_STATUS rc;
void *res;
char *groupdn;
if (argc < 1) {
return net_ads_group_usage(argc, argv);
}
if (!(ads = ads_startup())) {
return -1;
}
rc = ads_find_user_acct(ads, &res, argv[0]);
if (!ADS_ERR_OK(rc)) {
DEBUG(0, ("Group %s does not exist\n", argv[0]));
ads_destroy(&ads);
return -1;
}
groupdn = ads_get_dn(ads, res);
ads_msgfree(ads, res);
rc = ads_del_dn(ads, groupdn);
ads_memfree(ads, groupdn);
if (!ADS_ERR_OK(rc)) {
d_printf("Group %s deleted\n", argv[0]);
ads_destroy(&ads);
return 0;
}
d_printf("Error deleting group %s: %s\n", argv[0],
ads_errstr(rc));
ads_destroy(&ads);
return -1;
}
static int net_ads_printer_remove(int argc, const char **argv)
{
ADS_STRUCT *ads;
ADS_STATUS rc;
const char *servername;
char *prt_dn;
void *res = NULL;
if (!(ads = ads_startup())) {
return -1;
}
if (argc < 1) {
return net_ads_printer_usage(argc, argv);
}
if (argc > 1) {
servername = argv[1];
} else {
servername = global_myname();
}
rc = ads_find_printer_on_server(ads, &res, argv[0], servername);
if (!ADS_ERR_OK(rc)) {
d_printf("ads_find_printer_on_server: %s\n", ads_errstr(rc));
ads_msgfree(ads, res);
ads_destroy(&ads);
return -1;
}
if (ads_count_replies(ads, res) == 0) {
d_printf("Printer '%s' not found\n", argv[1]);
ads_msgfree(ads, res);
ads_destroy(&ads);
return -1;
}
prt_dn = ads_get_dn(ads, res);
ads_msgfree(ads, res);
rc = ads_del_dn(ads, prt_dn);
ads_memfree(ads, prt_dn);
if (!ADS_ERR_OK(rc)) {
d_printf("ads_del_dn: %s\n", ads_errstr(rc));
ads_destroy(&ads);
return -1;
}
ads_destroy(&ads);
return 0;
}
/*
do a rough conversion between ads error codes and NT status codes
we'll need to fill this in more
*/
NTSTATUS ads_ntstatus(ADS_STATUS status)
{
switch (status.error_type) {
case ENUM_ADS_ERROR_NT:
return status.err.nt_status;
case ENUM_ADS_ERROR_SYSTEM:
return map_nt_error_from_unix(status.err.rc);
#ifdef HAVE_LDAP
case ENUM_ADS_ERROR_LDAP:
if (status.err.rc == LDAP_SUCCESS) {
return NT_STATUS_OK;
}
return NT_STATUS_LDAP(status.err.rc);
#endif
#ifdef HAVE_KRB5
case ENUM_ADS_ERROR_KRB5:
return krb5_to_nt_status(status.err.rc);
#endif
default:
break;
}
if (ADS_ERR_OK(status)) {
return NT_STATUS_OK;
}
return NT_STATUS_UNSUCCESSFUL;
}
ADS_STATUS ads_change_trust_account_password(ADS_STRUCT *ads, char *host_principal)
{
char *password;
char *new_password;
ADS_STATUS ret;
enum netr_SchannelType sec_channel_type;
if ((password = secrets_fetch_machine_password(lp_workgroup(), NULL, &sec_channel_type)) == NULL) {
DEBUG(1,("Failed to retrieve password for principal %s\n", host_principal));
return ADS_ERROR_SYSTEM(ENOENT);
}
new_password = generate_random_password(talloc_tos(),
DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH,
DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH);
ret = kerberos_set_password(ads->auth.kdc_server, host_principal, password, host_principal, new_password, ads->auth.time_offset);
if (!ADS_ERR_OK(ret)) {
goto failed;
}
if (!secrets_store_machine_password(new_password, lp_workgroup(), sec_channel_type)) {
DEBUG(1,("Failed to save machine password\n"));
ret = ADS_ERROR_SYSTEM(EACCES);
goto failed;
}
failed:
SAFE_FREE(password);
return ret;
}
static int net_ads_printer_search(int argc, const char **argv)
{
ADS_STRUCT *ads;
ADS_STATUS rc;
void *res = NULL;
if (!(ads = ads_startup())) {
return -1;
}
rc = ads_find_printers(ads, &res);
if (!ADS_ERR_OK(rc)) {
d_printf("ads_find_printer: %s\n", ads_errstr(rc));
ads_msgfree(ads, res);
ads_destroy(&ads);
return -1;
}
if (ads_count_replies(ads, res) == 0) {
d_printf("No results found\n");
ads_msgfree(ads, res);
ads_destroy(&ads);
return -1;
}
ads_dump(ads, res);
ads_msgfree(ads, res);
ads_destroy(&ads);
return 0;
}
static WERROR nt_printer_unpublish_ads(ADS_STRUCT *ads,
const char *printer)
{
ADS_STATUS ads_rc;
LDAPMessage *res = NULL;
char *prt_dn = NULL;
DEBUG(5, ("unpublishing printer %s\n", printer));
/* remove the printer from the directory */
ads_rc = ads_find_printer_on_server(ads, &res,
printer, lp_netbios_name());
if (ADS_ERR_OK(ads_rc) && res && ads_count_replies(ads, res)) {
prt_dn = ads_get_dn(ads, talloc_tos(), res);
if (!prt_dn) {
ads_msgfree(ads, res);
return WERR_NOMEM;
}
ads_rc = ads_del_dn(ads, prt_dn);
TALLOC_FREE(prt_dn);
}
if (res) {
ads_msgfree(ads, res);
}
return WERR_OK;
}
/*
determine the netbios workgroup name for a domain
*/
static int net_ads_workgroup(int argc, const char **argv)
{
ADS_STRUCT *ads;
TALLOC_CTX *ctx;
const char *workgroup;
if (!(ads = ads_startup())) return -1;
if (!(ctx = talloc_init("net_ads_workgroup"))) {
ads_destroy(&ads);
return -1;
}
if (!ADS_ERR_OK(ads_workgroup_name(ads, ctx, &workgroup))) {
d_printf("Failed to find workgroup for realm '%s'\n",
ads->config.realm);
talloc_destroy(ctx);
ads_destroy(&ads);
return -1;
}
d_printf("Workgroup: %s\n", workgroup);
talloc_destroy(ctx);
ads_destroy(&ads);
return 0;
}
static int net_ads_status(int argc, const char **argv)
{
ADS_STRUCT *ads;
ADS_STATUS rc;
void *res;
if (!(ads = ads_startup())) {
return -1;
}
rc = ads_find_machine_acct(ads, &res, global_myname());
if (!ADS_ERR_OK(rc)) {
d_printf("ads_find_machine_acct: %s\n", ads_errstr(rc));
ads_destroy(&ads);
return -1;
}
if (ads_count_replies(ads, res) == 0) {
d_printf("No machine account for '%s' found\n", global_myname());
ads_destroy(&ads);
return -1;
}
ads_dump(ads, res);
ads_destroy(&ads);
return 0;
}
/* convert a sid to a user or group name */
NTSTATUS ads_sid_to_name(ADS_STRUCT *ads,
TALLOC_CTX *mem_ctx,
const DOM_SID *sid,
char **name,
enum SID_NAME_USE *type)
{
const char *attrs[] = {"userPrincipalName",
"sAMAccountName",
"sAMAccountType", NULL};
ADS_STATUS rc;
void *msg = NULL;
char *ldap_exp = NULL;
char *sidstr = NULL;
uint32 atype;
NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
if (!(sidstr = sid_binstring(sid))) {
DEBUG(1,("ads_sid_to_name: sid_binstring failed!\n"));
status = NT_STATUS_NO_MEMORY;
goto done;
}
if (asprintf(&ldap_exp, "(objectSid=%s)", sidstr) == -1) {
DEBUG(1,("ads_sid_to_name: asprintf failed!\n"));
status = NT_STATUS_NO_MEMORY;
goto done;
}
rc = ads_search_retry(ads, &msg, ldap_exp, attrs);
if (!ADS_ERR_OK(rc)) {
status = ads_ntstatus(rc);
DEBUG(1,("ads_sid_to_name ads_search: %s\n", ads_errstr(rc)));
goto done;
}
if (!ads_pull_uint32(ads, msg, "sAMAccountType", &atype)) {
goto done;
}
*name = ads_pull_username(ads, mem_ctx, msg);
if (!*name) {
DEBUG(1,("ads_sid_to_name: ads_pull_username retuned NULL!\n"));
status = NT_STATUS_NO_MEMORY;
goto done;
}
*type = ads_atype_map(atype);
status = NT_STATUS_OK;
DEBUG(3,("ads sid_to_name mapped %s\n", *name));
done:
if (msg) ads_msgfree(ads, msg);
SAFE_FREE(ldap_exp);
SAFE_FREE(sidstr);
return status;
}
void dump_gplink(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, struct GP_LINK *gp_link)
{
ADS_STATUS status;
int i;
int lvl = 10;
if (gp_link == NULL) {
return;
}
DEBUG(lvl,("---------------------\n\n"));
DEBUGADD(lvl,("gplink: %s\n", gp_link->gp_link));
DEBUGADD(lvl,("gpopts: %d ", gp_link->gp_opts));
switch (gp_link->gp_opts) {
case GPOPTIONS_INHERIT:
DEBUGADD(lvl,("GPOPTIONS_INHERIT\n"));
break;
case GPOPTIONS_BLOCK_INHERITANCE:
DEBUGADD(lvl,("GPOPTIONS_BLOCK_INHERITANCE\n"));
break;
default:
break;
}
DEBUGADD(lvl,("num links: %d\n", gp_link->num_links));
for (i = 0; i < gp_link->num_links; i++) {
DEBUGADD(lvl,("---------------------\n\n"));
DEBUGADD(lvl,("link: #%d\n", i + 1));
DEBUGADD(lvl,("name: %s\n", gp_link->link_names[i]));
DEBUGADD(lvl,("opt: %d ", gp_link->link_opts[i]));
if (gp_link->link_opts[i] & GPO_LINK_OPT_ENFORCED) {
DEBUGADD(lvl,("GPO_LINK_OPT_ENFORCED "));
}
if (gp_link->link_opts[i] & GPO_LINK_OPT_DISABLED) {
DEBUGADD(lvl,("GPO_LINK_OPT_DISABLED"));
}
DEBUGADD(lvl,("\n"));
if (ads != NULL && mem_ctx != NULL) {
struct GROUP_POLICY_OBJECT gpo;
status = ads_get_gpo(ads, mem_ctx,
gp_link->link_names[i],
NULL, NULL, &gpo);
if (!ADS_ERR_OK(status)) {
DEBUG(lvl,("get gpo for %s failed: %s\n",
gp_link->link_names[i],
ads_errstr(status)));
return;
}
dump_gpo(ads, mem_ctx, &gpo, lvl);
}
}
}
static ADS_STATUS gpo_process_gpo_list_by_ext(ADS_STRUCT *ads,
TALLOC_CTX *mem_ctx,
const struct security_token *token,
struct registry_key *root_key,
struct GROUP_POLICY_OBJECT *gpo_list,
const char *extensions_guid,
uint32_t flags)
{
ADS_STATUS status;
struct GROUP_POLICY_OBJECT *gpo;
for (gpo = gpo_list; gpo; gpo = gpo->next) {
if (gpo->link_type == GP_LINK_LOCAL) {
continue;
}
/* FIXME: we need to pass down the *list* down to the
* extension, otherwise we cannot store the e.g. the *list* of
* logon-scripts correctly (for more then one GPO) */
status = gpo_process_a_gpo(ads, mem_ctx, token, root_key,
gpo, extensions_guid, flags);
if (!ADS_ERR_OK(status)) {
DEBUG(0,("failed to process gpo by ext: %s\n",
ads_errstr(status)));
return status;
}
}
return ADS_SUCCESS;
}
ADS_STATUS ads_sasl_bind(ADS_STRUCT *ads)
{
const char *attrs[] = {"supportedSASLMechanisms", NULL};
char **values;
ADS_STATUS status;
int i, j;
LDAPMessage *res;
/* get a list of supported SASL mechanisms */
status = ads_do_search(ads, "", LDAP_SCOPE_BASE, "(objectclass=*)", attrs, &res);
if (!ADS_ERR_OK(status)) return status;
values = ldap_get_values(ads->ld, res, "supportedSASLMechanisms");
/* try our supported mechanisms in order */
for (i=0;sasl_mechanisms[i].name;i++) {
/* see if the server supports it */
for (j=0;values && values[j];j++) {
if (strcmp(values[j], sasl_mechanisms[i].name) == 0) {
DEBUG(4,("Found SASL mechanism %s\n", values[j]));
status = sasl_mechanisms[i].fn(ads);
ldap_value_free(values);
ldap_msgfree(res);
return status;
}
}
}
ldap_value_free(values);
ldap_msgfree(res);
return ADS_ERROR(LDAP_AUTH_METHOD_NOT_SUPPORTED);
}
static int net_ads_leave(int argc, const char **argv)
{
ADS_STRUCT *ads = NULL;
ADS_STATUS rc;
if (!secrets_init()) {
DEBUG(1,("Failed to initialise secrets database\n"));
return -1;
}
if (!opt_password) {
net_use_machine_password();
}
if (!(ads = ads_startup())) {
return -1;
}
rc = ads_leave_realm(ads, global_myname());
if (!ADS_ERR_OK(rc)) {
d_printf("Failed to delete host '%s' from the '%s' realm.\n",
global_myname(), ads->config.realm);
ads_destroy(&ads);
return -1;
}
d_printf("Removed '%s' from realm '%s'\n", global_myname(), ads->config.realm);
ads_destroy(&ads);
return 0;
}
static WERROR nt_printer_guid_retrieve_internal(ADS_STRUCT *ads,
const char *printer_dn,
struct GUID *pguid)
{
ADS_STATUS ads_status;
LDAPMessage *res;
const char *attrs[] = {"objectGUID", NULL};
struct GUID guid;
bool ok;
ads_status = ads_search_dn(ads, &res, printer_dn, attrs);
if (!ADS_ERR_OK(ads_status)) {
DEBUG(2, ("Failed to retrieve GUID from DC - %s\n",
ads_errstr(ads_status)));
return WERR_BADFILE;
}
ZERO_STRUCT(guid);
ok = ads_pull_guid(ads, res, &guid);
ads_msgfree(ads, res);
if (!ok) {
return WERR_NOMEM;
}
*pguid = guid;
return WERR_OK;
}
static ADS_STATUS ads_sasl_ntlmssp_unwrap(ADS_STRUCT *ads)
{
struct ntlmssp_state *ntlmssp_state =
(struct ntlmssp_state *)ads->ldap.wrap_private_data;
ADS_STATUS status;
NTSTATUS nt_status;
DATA_BLOB sig;
uint8 *dptr = ads->ldap.in.buf + (4 + NTLMSSP_SIG_SIZE);
uint32 dlen = ads->ldap.in.ofs - (4 + NTLMSSP_SIG_SIZE);
/* wrap the signature into a DATA_BLOB */
sig = data_blob_const(ads->ldap.in.buf + 4, NTLMSSP_SIG_SIZE);
/* verify the signature and maybe decrypt the data */
if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SEAL) {
nt_status = ntlmssp_unseal_packet(ntlmssp_state,
dptr, dlen,
dptr, dlen,
&sig);
} else {
nt_status = ntlmssp_check_packet(ntlmssp_state,
dptr, dlen,
dptr, dlen,
&sig);
}
status = ADS_ERROR_NT(nt_status);
if (!ADS_ERR_OK(status)) return status;
/* set the amount of bytes for the upper layer and set the ofs to the data */
ads->ldap.in.left = dlen;
ads->ldap.in.ofs = 4 + NTLMSSP_SIG_SIZE;
return ADS_SUCCESS;
}
/* display SD */
void ads_disp_sd(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, struct security_descriptor *sd)
{
int i;
char *tmp_path = NULL;
if (!sd) {
return;
}
if (ads && !ads->config.schema_path) {
if (ADS_ERR_OK(ads_schema_path(ads, mem_ctx, &tmp_path))) {
ads->config.schema_path = SMB_STRDUP(tmp_path);
}
}
if (ads && !ads->config.config_path) {
if (ADS_ERR_OK(ads_config_path(ads, mem_ctx, &tmp_path))) {
ads->config.config_path = SMB_STRDUP(tmp_path);
}
}
printf("-------------- Security Descriptor (revision: %d, type: 0x%02x)\n",
sd->revision,
sd->type);
printf("owner SID: %s\n", sd->owner_sid ?
sid_string_talloc(mem_ctx, sd->owner_sid) : "(null)");
printf("group SID: %s\n", sd->group_sid ?
sid_string_talloc(mem_ctx, sd->group_sid) : "(null)");
ads_disp_acl(sd->sacl, "system");
if (sd->sacl) {
for (i = 0; i < sd->sacl->num_aces; i ++) {
ads_disp_ace(ads, mem_ctx, &sd->sacl->aces[i]);
}
}
ads_disp_acl(sd->dacl, "user");
if (sd->dacl) {
for (i = 0; i < sd->dacl->num_aces; i ++) {
ads_disp_ace(ads, mem_ctx, &sd->dacl->aces[i]);
}
}
printf("-------------- End Of Security Descriptor\n");
}
static int net_ads_gpo_get_gpo(struct net_context *c, int argc, const char **argv)
{
ADS_STRUCT *ads;
ADS_STATUS status;
TALLOC_CTX *mem_ctx;
struct GROUP_POLICY_OBJECT gpo;
if (argc < 1 || c->display_usage) {
d_printf("Usage:\n"
"net ads gpo getgpo <gpo>\n"
" List speciefied GPO\n"
" gpo\t\tGPO to list\n");
return -1;
}
mem_ctx = talloc_init("ads_gpo_get_gpo");
if (mem_ctx == NULL) {
return -1;
}
status = ads_startup(c, false, &ads);
if (!ADS_ERR_OK(status)) {
goto out;
}
if (strnequal(argv[0], "CN={", strlen("CN={"))) {
status = ads_get_gpo(ads, mem_ctx, argv[0], NULL, NULL, &gpo);
} else {
status = ads_get_gpo(ads, mem_ctx, NULL, argv[0], NULL, &gpo);
}
if (!ADS_ERR_OK(status)) {
d_printf("get gpo for [%s] failed: %s\n", argv[0],
ads_errstr(status));
goto out;
}
dump_gpo(ads, mem_ctx, &gpo, 1);
out:
talloc_destroy(mem_ctx);
ads_destroy(&ads);
return 0;
}
static int ads_group_add(int argc, const char **argv)
{
ADS_STRUCT *ads;
ADS_STATUS status;
void *res=NULL;
int rc = -1;
if (argc < 1) {
return net_ads_group_usage(argc, argv);
}
if (!(ads = ads_startup())) {
return -1;
}
status = ads_find_user_acct(ads, &res, argv[0]);
if (!ADS_ERR_OK(status)) {
d_printf("ads_group_add: %s\n", ads_errstr(status));
goto done;
}
if (ads_count_replies(ads, res)) {
d_printf("ads_group_add: Group %s already exists\n", argv[0]);
ads_msgfree(ads, res);
goto done;
}
status = ads_add_group_acct(ads, argv[0], opt_container, opt_comment);
if (ADS_ERR_OK(status)) {
d_printf("Group %s added\n", argv[0]);
rc = 0;
} else {
d_printf("Could not add group %s: %s\n", argv[0],
ads_errstr(status));
}
done:
if (res)
ads_msgfree(ads, res);
ads_destroy(&ads);
return rc;
}
static int net_ads_gpo_link_add(struct net_context *c, int argc, const char **argv)
{
ADS_STRUCT *ads;
ADS_STATUS status;
uint32 gpo_opt = 0;
TALLOC_CTX *mem_ctx;
if (argc < 2 || c->display_usage) {
d_printf("Usage:\n"
"net ads gpo linkadd <linkdn> <gpodn> [options]\n"
" Link a container to a GPO\n"
" linkdn\tContainer to link to a GPO\n"
" gpodn\tGPO to link container to\n");
d_printf("note: DNs must be provided properly escaped.\n");
d_printf("See RFC 4514 for details\n");
return -1;
}
mem_ctx = talloc_init("add_gpo_link");
if (mem_ctx == NULL) {
return -1;
}
if (argc == 3) {
gpo_opt = atoi(argv[2]);
}
status = ads_startup(c, false, &ads);
if (!ADS_ERR_OK(status)) {
goto out;
}
status = ads_add_gpo_link(ads, mem_ctx, argv[0], argv[1], gpo_opt);
if (!ADS_ERR_OK(status)) {
d_printf("link add failed: %s\n", ads_errstr(status));
goto out;
}
out:
talloc_destroy(mem_ctx);
ads_destroy(&ads);
return 0;
}
ADS_STATUS ads_ranged_search(ADS_STRUCT *ads,
TALLOC_CTX *mem_ctx,
int scope,
const char *base,
const char *filter,
void *args,
const char *range_attr,
char ***strings,
size_t *num_strings)
{
ADS_STATUS status;
uint32_t first_usn;
int num_retries = 0;
const char **attrs;
bool more_values = False;
*num_strings = 0;
*strings = NULL;
attrs = talloc_array(mem_ctx, const char *, 3);
ADS_ERROR_HAVE_NO_MEMORY(attrs);
attrs[0] = talloc_strdup(mem_ctx, range_attr);
attrs[1] = talloc_strdup(mem_ctx, "usnChanged");
attrs[2] = NULL;
ADS_ERROR_HAVE_NO_MEMORY(attrs[0]);
ADS_ERROR_HAVE_NO_MEMORY(attrs[1]);
do {
status = ads_ranged_search_internal(ads, mem_ctx,
scope, base, filter,
attrs, args, range_attr,
strings, num_strings,
&first_usn, &num_retries,
&more_values);
if (NT_STATUS_EQUAL(STATUS_MORE_ENTRIES, ads_ntstatus(status))) {
continue;
}
if (!ADS_ERR_OK(status)) {
*num_strings = 0;
strings = NULL;
goto done;
}
} while (more_values);
done:
DEBUG(10,("returning with %d strings\n", (int)*num_strings));
return status;
}
static int net_ads_gpo_link_get(struct net_context *c, int argc, const char **argv)
{
ADS_STRUCT *ads;
ADS_STATUS status;
TALLOC_CTX *mem_ctx;
struct GP_LINK gp_link;
if (argc < 1 || c->display_usage) {
d_printf("Usage:\n"
"net ads gpo linkget <container>\n"
" Lists gPLink of a containter\n"
" container\tContainer to get link for\n");
return -1;
}
mem_ctx = talloc_init("add_gpo_link");
if (mem_ctx == NULL) {
return -1;
}
status = ads_startup(c, false, &ads);
if (!ADS_ERR_OK(status)) {
goto out;
}
status = ads_get_gpo_link(ads, mem_ctx, argv[0], &gp_link);
if (!ADS_ERR_OK(status)) {
d_printf("get link for %s failed: %s\n", argv[0],
ads_errstr(status));
goto out;
}
dump_gplink(ads, mem_ctx, &gp_link);
out:
talloc_destroy(mem_ctx);
ads_destroy(&ads);
return 0;
}
static ADS_STATUS ads_generate_service_principal(ADS_STRUCT *ads,
const char *given_principal,
struct ads_service_principal *p)
{
ADS_STATUS status;
#ifdef HAVE_KRB5
gss_buffer_desc input_name;
/* GSS_KRB5_NT_PRINCIPAL_NAME */
gss_OID_desc nt_principal =
{10, discard_const_p(char, "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x01")};
uint32 minor_status;
int gss_rc;
#endif
ZERO_STRUCTP(p);
/* I've seen a child Windows 2000 domain not send
the principal name back in the first round of
the SASL bind reply. So we guess based on server
name and realm. --jerry */
/* Also try best guess when we get the w2k8 ignore principal
back, or when we are configured to ignore it - gd,
abartlet */
if (!lp_client_use_spnego_principal() ||
!given_principal ||
strequal(given_principal, ADS_IGNORE_PRINCIPAL)) {
status = ads_guess_service_principal(ads, &p->string);
if (!ADS_ERR_OK(status)) {
return status;
}
} else {
p->string = SMB_STRDUP(given_principal);
if (!p->string) {
return ADS_ERROR(LDAP_NO_MEMORY);
}
}
#ifdef HAVE_KRB5
input_name.value = p->string;
input_name.length = strlen(p->string);
gss_rc = gss_import_name(&minor_status, &input_name, &nt_principal, &p->name);
if (gss_rc) {
ads_free_service_principal(p);
return ADS_ERROR_GSS(gss_rc, minor_status);
}
#endif
return ADS_SUCCESS;
}
WERROR nt_printer_guid_retrieve(TALLOC_CTX *mem_ctx, const char *printer,
struct GUID *pguid)
{
ADS_STRUCT *ads = NULL;
char *old_krb5ccname = NULL;
char *printer_dn;
WERROR result;
ADS_STATUS ads_status;
TALLOC_CTX *tmp_ctx;
tmp_ctx = talloc_new(mem_ctx);
if (tmp_ctx == NULL) {
return WERR_NOMEM;
}
ads = ads_init(lp_realm(), lp_workgroup(), NULL);
if (ads == NULL) {
result = WERR_SERVER_UNAVAILABLE;
goto out;
}
old_krb5ccname = getenv(KRB5_ENV_CCNAME);
setenv(KRB5_ENV_CCNAME, "MEMORY:prtpub_cache", 1);
SAFE_FREE(ads->auth.password);
ads->auth.password = secrets_fetch_machine_password(lp_workgroup(),
NULL, NULL);
ads_status = ads_connect(ads);
if (!ADS_ERR_OK(ads_status)) {
DEBUG(3, ("ads_connect failed: %s\n", ads_errstr(ads_status)));
result = WERR_ACCESS_DENIED;
goto out;
}
result = nt_printer_dn_lookup(tmp_ctx, ads, printer, &printer_dn);
if (!W_ERROR_IS_OK(result)) {
goto out;
}
result = nt_printer_guid_retrieve_internal(ads, printer_dn, pguid);
out:
TALLOC_FREE(tmp_ctx);
ads_destroy(&ads);
ads_kdestroy("MEMORY:prtpub_cache");
unsetenv(KRB5_ENV_CCNAME);
if (old_krb5ccname != NULL) {
setenv(KRB5_ENV_CCNAME, old_krb5ccname, 0);
}
return result;
}
static int ads_user_info(int argc, const char **argv)
{
ADS_STRUCT *ads;
ADS_STATUS rc;
void *res;
const char *attrs[] = {"memberOf", NULL};
char *searchstring=NULL;
char **grouplist;
char *escaped_user = escape_ldap_string_alloc(argv[0]);
if (argc < 1) {
return net_ads_user_usage(argc, argv);
}
if (!(ads = ads_startup())) {
return -1;
}
if (!escaped_user) {
d_printf("ads_user_info: failed to escape user %s\n", argv[0]);
ads_destroy(&ads);
return -1;
}
asprintf(&searchstring, "(sAMAccountName=%s)", escaped_user);
rc = ads_search(ads, &res, searchstring, attrs);
safe_free(searchstring);
if (!ADS_ERR_OK(rc)) {
d_printf("ads_search: %s\n", ads_errstr(rc));
ads_destroy(&ads);
return -1;
}
grouplist = ldap_get_values(ads->ld, res, "memberOf");
if (grouplist) {
int i;
char **groupname;
for (i=0;grouplist[i];i++) {
groupname = ldap_explode_dn(grouplist[i], 1);
d_printf("%s\n", groupname[0]);
ldap_value_free(groupname);
}
ldap_value_free(grouplist);
}
ads_msgfree(ads, res);
ads_destroy(&ads);
return 0;
}
ADS_STATUS ads_sasl_bind(ADS_STRUCT *ads)
{
const char *attrs[] = {"supportedSASLMechanisms", NULL};
char **values;
ADS_STATUS status;
int i, j;
LDAPMessage *res;
struct ads_saslwrap *wrap = &ads->ldap_wrap_data;
/* get a list of supported SASL mechanisms */
status = ads_do_search(ads, "", LDAP_SCOPE_BASE, "(objectclass=*)", attrs, &res);
if (!ADS_ERR_OK(status)) return status;
values = ldap_get_values(ads->ldap.ld, res, "supportedSASLMechanisms");
if (ads->auth.flags & ADS_AUTH_SASL_SEAL) {
wrap->wrap_type = ADS_SASLWRAP_TYPE_SEAL;
} else if (ads->auth.flags & ADS_AUTH_SASL_SIGN) {
wrap->wrap_type = ADS_SASLWRAP_TYPE_SIGN;
} else {
wrap->wrap_type = ADS_SASLWRAP_TYPE_PLAIN;
}
/* try our supported mechanisms in order */
for (i=0;sasl_mechanisms[i].name;i++) {
/* see if the server supports it */
for (j=0;values && values[j];j++) {
if (strcmp(values[j], sasl_mechanisms[i].name) == 0) {
DEBUG(4,("Found SASL mechanism %s\n", values[j]));
retry:
status = sasl_mechanisms[i].fn(ads);
if (status.error_type == ENUM_ADS_ERROR_LDAP &&
status.err.rc == LDAP_STRONG_AUTH_REQUIRED &&
wrap->wrap_type == ADS_SASLWRAP_TYPE_PLAIN)
{
DEBUG(3,("SASL bin got LDAP_STRONG_AUTH_REQUIRED "
"retrying with signing enabled\n"));
wrap->wrap_type = ADS_SASLWRAP_TYPE_SIGN;
goto retry;
}
ldap_value_free(values);
ldap_msgfree(res);
return status;
}
}
}
ldap_value_free(values);
ldap_msgfree(res);
return ADS_ERROR(LDAP_AUTH_METHOD_NOT_SUPPORTED);
}
static int net_ads_gpo_link_delete(struct net_context *c, int argc, const char **argv)
{
ADS_STRUCT *ads;
ADS_STATUS status;
TALLOC_CTX *mem_ctx;
if (argc < 2 || c->display_usage) {
d_printf("Usage:\n"
"net ads gpo linkdelete <linkdn> <gpodn>\n"
" Delete a GPO link\n"
" <linkdn>\tContainer to delete GPO from\n"
" <gpodn>\tGPO to delete from container\n");
return -1;
}
mem_ctx = talloc_init("delete_gpo_link");
if (mem_ctx == NULL) {
return -1;
}
status = ads_startup(c, false, &ads);
if (!ADS_ERR_OK(status)) {
goto out;
}
status = ads_delete_gpo_link(ads, mem_ctx, argv[0], argv[1]);
if (!ADS_ERR_OK(status)) {
d_printf("delete link failed: %s\n", ads_errstr(status));
goto out;
}
out:
talloc_destroy(mem_ctx);
ads_destroy(&ads);
return 0;
}
/*
map a REG_DWORD to an ldap mod
*/
static bool map_dword(TALLOC_CTX *ctx, ADS_MODLIST *mods,
const REGISTRY_VALUE *value)
{
char *str_value = NULL;
ADS_STATUS status;
if (value->type != REG_DWORD)
return False;
str_value = talloc_asprintf(ctx, "%d", *((uint32 *) value->data_p));
if (!str_value) {
return False;
}
status = ads_mod_str(ctx, mods, value->valuename, str_value);
return ADS_ERR_OK(status);
}
int net_ads_changetrustpw(int argc, const char **argv)
{
ADS_STRUCT *ads;
char *host_principal;
fstring my_name;
ADS_STATUS ret;
if (!secrets_init()) {
DEBUG(1,("Failed to initialise secrets database\n"));
return -1;
}
net_use_machine_password();
use_in_memory_ccache();
if (!(ads = ads_startup())) {
return -1;
}
fstrcpy(my_name, global_myname());
strlower_m(my_name);
asprintf(&host_principal, "%s@%s", my_name, ads->config.realm);
d_printf("Changing password for principal: HOST/%s\n", host_principal);
ret = ads_change_trust_account_password(ads, host_principal);
if (!ADS_ERR_OK(ret)) {
d_printf("Password change failed :-( ...\n");
ads_destroy(&ads);
SAFE_FREE(host_principal);
return -1;
}
d_printf("Password change for principal HOST/%s succeeded.\n", host_principal);
if (lp_use_kerberos_keytab()) {
d_printf("Attempting to update system keytab with new password.\n");
if (ads_keytab_create_default(ads)) {
d_printf("Failed to update system keytab.\n");
}
}
ads_destroy(&ads);
SAFE_FREE(host_principal);
return 0;
}
/*
map a boolean REG_BINARY to an ldap mod
*/
static bool map_bool(TALLOC_CTX *ctx, ADS_MODLIST *mods,
const REGISTRY_VALUE *value)
{
char *str_value;
ADS_STATUS status;
if ((value->type != REG_BINARY) || (value->size != 1))
return False;
str_value = talloc_asprintf(ctx, "%s",
*(value->data_p) ? "TRUE" : "FALSE");
if (!str_value) {
return False;
}
status = ads_mod_str(ctx, mods, value->valuename, str_value);
return ADS_ERR_OK(status);
}
