static ADS_STATUS ads_sasl_gssapi_bind(ADS_STRUCT *ads) { ADS_STATUS status; struct ads_service_principal p; status = ads_generate_service_principal(ads, &p); if (!ADS_ERR_OK(status)) { return status; } if (ads->auth.password == NULL || ads->auth.password[0] == '\0') { status = ads_sasl_gssapi_do_bind(ads, p.name); if (ADS_ERR_OK(status)) { ads_free_service_principal(&p); return status; } DEBUG(10,("ads_sasl_gssapi_do_bind failed with: %s, " "calling kinit\n", ads_errstr(status))); } status = ADS_ERROR_KRB5(ads_kinit_password(ads)); if (ADS_ERR_OK(status)) { status = ads_sasl_gssapi_do_bind(ads, p.name); } ads_free_service_principal(&p); return status; }
static int ads_group_delete(int argc, const char **argv) { ADS_STRUCT *ads; ADS_STATUS rc; void *res; char *groupdn; if (argc < 1) { return net_ads_group_usage(argc, argv); } if (!(ads = ads_startup())) { return -1; } rc = ads_find_user_acct(ads, &res, argv[0]); if (!ADS_ERR_OK(rc)) { DEBUG(0, ("Group %s does not exist\n", argv[0])); ads_destroy(&ads); return -1; } groupdn = ads_get_dn(ads, res); ads_msgfree(ads, res); rc = ads_del_dn(ads, groupdn); ads_memfree(ads, groupdn); if (!ADS_ERR_OK(rc)) { d_printf("Group %s deleted\n", argv[0]); ads_destroy(&ads); return 0; } d_printf("Error deleting group %s: %s\n", argv[0], ads_errstr(rc)); ads_destroy(&ads); return -1; }
static int net_ads_printer_remove(int argc, const char **argv) { ADS_STRUCT *ads; ADS_STATUS rc; const char *servername; char *prt_dn; void *res = NULL; if (!(ads = ads_startup())) { return -1; } if (argc < 1) { return net_ads_printer_usage(argc, argv); } if (argc > 1) { servername = argv[1]; } else { servername = global_myname(); } rc = ads_find_printer_on_server(ads, &res, argv[0], servername); if (!ADS_ERR_OK(rc)) { d_printf("ads_find_printer_on_server: %s\n", ads_errstr(rc)); ads_msgfree(ads, res); ads_destroy(&ads); return -1; } if (ads_count_replies(ads, res) == 0) { d_printf("Printer '%s' not found\n", argv[1]); ads_msgfree(ads, res); ads_destroy(&ads); return -1; } prt_dn = ads_get_dn(ads, res); ads_msgfree(ads, res); rc = ads_del_dn(ads, prt_dn); ads_memfree(ads, prt_dn); if (!ADS_ERR_OK(rc)) { d_printf("ads_del_dn: %s\n", ads_errstr(rc)); ads_destroy(&ads); return -1; } ads_destroy(&ads); return 0; }
/* do a rough conversion between ads error codes and NT status codes we'll need to fill this in more */ NTSTATUS ads_ntstatus(ADS_STATUS status) { switch (status.error_type) { case ENUM_ADS_ERROR_NT: return status.err.nt_status; case ENUM_ADS_ERROR_SYSTEM: return map_nt_error_from_unix(status.err.rc); #ifdef HAVE_LDAP case ENUM_ADS_ERROR_LDAP: if (status.err.rc == LDAP_SUCCESS) { return NT_STATUS_OK; } return NT_STATUS_LDAP(status.err.rc); #endif #ifdef HAVE_KRB5 case ENUM_ADS_ERROR_KRB5: return krb5_to_nt_status(status.err.rc); #endif default: break; } if (ADS_ERR_OK(status)) { return NT_STATUS_OK; } return NT_STATUS_UNSUCCESSFUL; }
ADS_STATUS ads_change_trust_account_password(ADS_STRUCT *ads, char *host_principal) { char *password; char *new_password; ADS_STATUS ret; enum netr_SchannelType sec_channel_type; if ((password = secrets_fetch_machine_password(lp_workgroup(), NULL, &sec_channel_type)) == NULL) { DEBUG(1,("Failed to retrieve password for principal %s\n", host_principal)); return ADS_ERROR_SYSTEM(ENOENT); } new_password = generate_random_password(talloc_tos(), DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH, DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH); ret = kerberos_set_password(ads->auth.kdc_server, host_principal, password, host_principal, new_password, ads->auth.time_offset); if (!ADS_ERR_OK(ret)) { goto failed; } if (!secrets_store_machine_password(new_password, lp_workgroup(), sec_channel_type)) { DEBUG(1,("Failed to save machine password\n")); ret = ADS_ERROR_SYSTEM(EACCES); goto failed; } failed: SAFE_FREE(password); return ret; }
static int net_ads_printer_search(int argc, const char **argv) { ADS_STRUCT *ads; ADS_STATUS rc; void *res = NULL; if (!(ads = ads_startup())) { return -1; } rc = ads_find_printers(ads, &res); if (!ADS_ERR_OK(rc)) { d_printf("ads_find_printer: %s\n", ads_errstr(rc)); ads_msgfree(ads, res); ads_destroy(&ads); return -1; } if (ads_count_replies(ads, res) == 0) { d_printf("No results found\n"); ads_msgfree(ads, res); ads_destroy(&ads); return -1; } ads_dump(ads, res); ads_msgfree(ads, res); ads_destroy(&ads); return 0; }
static WERROR nt_printer_unpublish_ads(ADS_STRUCT *ads, const char *printer) { ADS_STATUS ads_rc; LDAPMessage *res = NULL; char *prt_dn = NULL; DEBUG(5, ("unpublishing printer %s\n", printer)); /* remove the printer from the directory */ ads_rc = ads_find_printer_on_server(ads, &res, printer, lp_netbios_name()); if (ADS_ERR_OK(ads_rc) && res && ads_count_replies(ads, res)) { prt_dn = ads_get_dn(ads, talloc_tos(), res); if (!prt_dn) { ads_msgfree(ads, res); return WERR_NOMEM; } ads_rc = ads_del_dn(ads, prt_dn); TALLOC_FREE(prt_dn); } if (res) { ads_msgfree(ads, res); } return WERR_OK; }
/* determine the netbios workgroup name for a domain */ static int net_ads_workgroup(int argc, const char **argv) { ADS_STRUCT *ads; TALLOC_CTX *ctx; const char *workgroup; if (!(ads = ads_startup())) return -1; if (!(ctx = talloc_init("net_ads_workgroup"))) { ads_destroy(&ads); return -1; } if (!ADS_ERR_OK(ads_workgroup_name(ads, ctx, &workgroup))) { d_printf("Failed to find workgroup for realm '%s'\n", ads->config.realm); talloc_destroy(ctx); ads_destroy(&ads); return -1; } d_printf("Workgroup: %s\n", workgroup); talloc_destroy(ctx); ads_destroy(&ads); return 0; }
static int net_ads_status(int argc, const char **argv) { ADS_STRUCT *ads; ADS_STATUS rc; void *res; if (!(ads = ads_startup())) { return -1; } rc = ads_find_machine_acct(ads, &res, global_myname()); if (!ADS_ERR_OK(rc)) { d_printf("ads_find_machine_acct: %s\n", ads_errstr(rc)); ads_destroy(&ads); return -1; } if (ads_count_replies(ads, res) == 0) { d_printf("No machine account for '%s' found\n", global_myname()); ads_destroy(&ads); return -1; } ads_dump(ads, res); ads_destroy(&ads); return 0; }
/* convert a sid to a user or group name */ NTSTATUS ads_sid_to_name(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, const DOM_SID *sid, char **name, enum SID_NAME_USE *type) { const char *attrs[] = {"userPrincipalName", "sAMAccountName", "sAMAccountType", NULL}; ADS_STATUS rc; void *msg = NULL; char *ldap_exp = NULL; char *sidstr = NULL; uint32 atype; NTSTATUS status = NT_STATUS_UNSUCCESSFUL; if (!(sidstr = sid_binstring(sid))) { DEBUG(1,("ads_sid_to_name: sid_binstring failed!\n")); status = NT_STATUS_NO_MEMORY; goto done; } if (asprintf(&ldap_exp, "(objectSid=%s)", sidstr) == -1) { DEBUG(1,("ads_sid_to_name: asprintf failed!\n")); status = NT_STATUS_NO_MEMORY; goto done; } rc = ads_search_retry(ads, &msg, ldap_exp, attrs); if (!ADS_ERR_OK(rc)) { status = ads_ntstatus(rc); DEBUG(1,("ads_sid_to_name ads_search: %s\n", ads_errstr(rc))); goto done; } if (!ads_pull_uint32(ads, msg, "sAMAccountType", &atype)) { goto done; } *name = ads_pull_username(ads, mem_ctx, msg); if (!*name) { DEBUG(1,("ads_sid_to_name: ads_pull_username retuned NULL!\n")); status = NT_STATUS_NO_MEMORY; goto done; } *type = ads_atype_map(atype); status = NT_STATUS_OK; DEBUG(3,("ads sid_to_name mapped %s\n", *name)); done: if (msg) ads_msgfree(ads, msg); SAFE_FREE(ldap_exp); SAFE_FREE(sidstr); return status; }
void dump_gplink(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, struct GP_LINK *gp_link) { ADS_STATUS status; int i; int lvl = 10; if (gp_link == NULL) { return; } DEBUG(lvl,("---------------------\n\n")); DEBUGADD(lvl,("gplink: %s\n", gp_link->gp_link)); DEBUGADD(lvl,("gpopts: %d ", gp_link->gp_opts)); switch (gp_link->gp_opts) { case GPOPTIONS_INHERIT: DEBUGADD(lvl,("GPOPTIONS_INHERIT\n")); break; case GPOPTIONS_BLOCK_INHERITANCE: DEBUGADD(lvl,("GPOPTIONS_BLOCK_INHERITANCE\n")); break; default: break; } DEBUGADD(lvl,("num links: %d\n", gp_link->num_links)); for (i = 0; i < gp_link->num_links; i++) { DEBUGADD(lvl,("---------------------\n\n")); DEBUGADD(lvl,("link: #%d\n", i + 1)); DEBUGADD(lvl,("name: %s\n", gp_link->link_names[i])); DEBUGADD(lvl,("opt: %d ", gp_link->link_opts[i])); if (gp_link->link_opts[i] & GPO_LINK_OPT_ENFORCED) { DEBUGADD(lvl,("GPO_LINK_OPT_ENFORCED ")); } if (gp_link->link_opts[i] & GPO_LINK_OPT_DISABLED) { DEBUGADD(lvl,("GPO_LINK_OPT_DISABLED")); } DEBUGADD(lvl,("\n")); if (ads != NULL && mem_ctx != NULL) { struct GROUP_POLICY_OBJECT gpo; status = ads_get_gpo(ads, mem_ctx, gp_link->link_names[i], NULL, NULL, &gpo); if (!ADS_ERR_OK(status)) { DEBUG(lvl,("get gpo for %s failed: %s\n", gp_link->link_names[i], ads_errstr(status))); return; } dump_gpo(ads, mem_ctx, &gpo, lvl); } } }
static ADS_STATUS gpo_process_gpo_list_by_ext(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, const struct security_token *token, struct registry_key *root_key, struct GROUP_POLICY_OBJECT *gpo_list, const char *extensions_guid, uint32_t flags) { ADS_STATUS status; struct GROUP_POLICY_OBJECT *gpo; for (gpo = gpo_list; gpo; gpo = gpo->next) { if (gpo->link_type == GP_LINK_LOCAL) { continue; } /* FIXME: we need to pass down the *list* down to the * extension, otherwise we cannot store the e.g. the *list* of * logon-scripts correctly (for more then one GPO) */ status = gpo_process_a_gpo(ads, mem_ctx, token, root_key, gpo, extensions_guid, flags); if (!ADS_ERR_OK(status)) { DEBUG(0,("failed to process gpo by ext: %s\n", ads_errstr(status))); return status; } } return ADS_SUCCESS; }
ADS_STATUS ads_sasl_bind(ADS_STRUCT *ads) { const char *attrs[] = {"supportedSASLMechanisms", NULL}; char **values; ADS_STATUS status; int i, j; LDAPMessage *res; /* get a list of supported SASL mechanisms */ status = ads_do_search(ads, "", LDAP_SCOPE_BASE, "(objectclass=*)", attrs, &res); if (!ADS_ERR_OK(status)) return status; values = ldap_get_values(ads->ld, res, "supportedSASLMechanisms"); /* try our supported mechanisms in order */ for (i=0;sasl_mechanisms[i].name;i++) { /* see if the server supports it */ for (j=0;values && values[j];j++) { if (strcmp(values[j], sasl_mechanisms[i].name) == 0) { DEBUG(4,("Found SASL mechanism %s\n", values[j])); status = sasl_mechanisms[i].fn(ads); ldap_value_free(values); ldap_msgfree(res); return status; } } } ldap_value_free(values); ldap_msgfree(res); return ADS_ERROR(LDAP_AUTH_METHOD_NOT_SUPPORTED); }
static int net_ads_leave(int argc, const char **argv) { ADS_STRUCT *ads = NULL; ADS_STATUS rc; if (!secrets_init()) { DEBUG(1,("Failed to initialise secrets database\n")); return -1; } if (!opt_password) { net_use_machine_password(); } if (!(ads = ads_startup())) { return -1; } rc = ads_leave_realm(ads, global_myname()); if (!ADS_ERR_OK(rc)) { d_printf("Failed to delete host '%s' from the '%s' realm.\n", global_myname(), ads->config.realm); ads_destroy(&ads); return -1; } d_printf("Removed '%s' from realm '%s'\n", global_myname(), ads->config.realm); ads_destroy(&ads); return 0; }
static WERROR nt_printer_guid_retrieve_internal(ADS_STRUCT *ads, const char *printer_dn, struct GUID *pguid) { ADS_STATUS ads_status; LDAPMessage *res; const char *attrs[] = {"objectGUID", NULL}; struct GUID guid; bool ok; ads_status = ads_search_dn(ads, &res, printer_dn, attrs); if (!ADS_ERR_OK(ads_status)) { DEBUG(2, ("Failed to retrieve GUID from DC - %s\n", ads_errstr(ads_status))); return WERR_BADFILE; } ZERO_STRUCT(guid); ok = ads_pull_guid(ads, res, &guid); ads_msgfree(ads, res); if (!ok) { return WERR_NOMEM; } *pguid = guid; return WERR_OK; }
static ADS_STATUS ads_sasl_ntlmssp_unwrap(ADS_STRUCT *ads) { struct ntlmssp_state *ntlmssp_state = (struct ntlmssp_state *)ads->ldap.wrap_private_data; ADS_STATUS status; NTSTATUS nt_status; DATA_BLOB sig; uint8 *dptr = ads->ldap.in.buf + (4 + NTLMSSP_SIG_SIZE); uint32 dlen = ads->ldap.in.ofs - (4 + NTLMSSP_SIG_SIZE); /* wrap the signature into a DATA_BLOB */ sig = data_blob_const(ads->ldap.in.buf + 4, NTLMSSP_SIG_SIZE); /* verify the signature and maybe decrypt the data */ if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SEAL) { nt_status = ntlmssp_unseal_packet(ntlmssp_state, dptr, dlen, dptr, dlen, &sig); } else { nt_status = ntlmssp_check_packet(ntlmssp_state, dptr, dlen, dptr, dlen, &sig); } status = ADS_ERROR_NT(nt_status); if (!ADS_ERR_OK(status)) return status; /* set the amount of bytes for the upper layer and set the ofs to the data */ ads->ldap.in.left = dlen; ads->ldap.in.ofs = 4 + NTLMSSP_SIG_SIZE; return ADS_SUCCESS; }
/* display SD */ void ads_disp_sd(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, struct security_descriptor *sd) { int i; char *tmp_path = NULL; if (!sd) { return; } if (ads && !ads->config.schema_path) { if (ADS_ERR_OK(ads_schema_path(ads, mem_ctx, &tmp_path))) { ads->config.schema_path = SMB_STRDUP(tmp_path); } } if (ads && !ads->config.config_path) { if (ADS_ERR_OK(ads_config_path(ads, mem_ctx, &tmp_path))) { ads->config.config_path = SMB_STRDUP(tmp_path); } } printf("-------------- Security Descriptor (revision: %d, type: 0x%02x)\n", sd->revision, sd->type); printf("owner SID: %s\n", sd->owner_sid ? sid_string_talloc(mem_ctx, sd->owner_sid) : "(null)"); printf("group SID: %s\n", sd->group_sid ? sid_string_talloc(mem_ctx, sd->group_sid) : "(null)"); ads_disp_acl(sd->sacl, "system"); if (sd->sacl) { for (i = 0; i < sd->sacl->num_aces; i ++) { ads_disp_ace(ads, mem_ctx, &sd->sacl->aces[i]); } } ads_disp_acl(sd->dacl, "user"); if (sd->dacl) { for (i = 0; i < sd->dacl->num_aces; i ++) { ads_disp_ace(ads, mem_ctx, &sd->dacl->aces[i]); } } printf("-------------- End Of Security Descriptor\n"); }
static int net_ads_gpo_get_gpo(struct net_context *c, int argc, const char **argv) { ADS_STRUCT *ads; ADS_STATUS status; TALLOC_CTX *mem_ctx; struct GROUP_POLICY_OBJECT gpo; if (argc < 1 || c->display_usage) { d_printf("Usage:\n" "net ads gpo getgpo <gpo>\n" " List speciefied GPO\n" " gpo\t\tGPO to list\n"); return -1; } mem_ctx = talloc_init("ads_gpo_get_gpo"); if (mem_ctx == NULL) { return -1; } status = ads_startup(c, false, &ads); if (!ADS_ERR_OK(status)) { goto out; } if (strnequal(argv[0], "CN={", strlen("CN={"))) { status = ads_get_gpo(ads, mem_ctx, argv[0], NULL, NULL, &gpo); } else { status = ads_get_gpo(ads, mem_ctx, NULL, argv[0], NULL, &gpo); } if (!ADS_ERR_OK(status)) { d_printf("get gpo for [%s] failed: %s\n", argv[0], ads_errstr(status)); goto out; } dump_gpo(ads, mem_ctx, &gpo, 1); out: talloc_destroy(mem_ctx); ads_destroy(&ads); return 0; }
static int ads_group_add(int argc, const char **argv) { ADS_STRUCT *ads; ADS_STATUS status; void *res=NULL; int rc = -1; if (argc < 1) { return net_ads_group_usage(argc, argv); } if (!(ads = ads_startup())) { return -1; } status = ads_find_user_acct(ads, &res, argv[0]); if (!ADS_ERR_OK(status)) { d_printf("ads_group_add: %s\n", ads_errstr(status)); goto done; } if (ads_count_replies(ads, res)) { d_printf("ads_group_add: Group %s already exists\n", argv[0]); ads_msgfree(ads, res); goto done; } status = ads_add_group_acct(ads, argv[0], opt_container, opt_comment); if (ADS_ERR_OK(status)) { d_printf("Group %s added\n", argv[0]); rc = 0; } else { d_printf("Could not add group %s: %s\n", argv[0], ads_errstr(status)); } done: if (res) ads_msgfree(ads, res); ads_destroy(&ads); return rc; }
static int net_ads_gpo_link_add(struct net_context *c, int argc, const char **argv) { ADS_STRUCT *ads; ADS_STATUS status; uint32 gpo_opt = 0; TALLOC_CTX *mem_ctx; if (argc < 2 || c->display_usage) { d_printf("Usage:\n" "net ads gpo linkadd <linkdn> <gpodn> [options]\n" " Link a container to a GPO\n" " linkdn\tContainer to link to a GPO\n" " gpodn\tGPO to link container to\n"); d_printf("note: DNs must be provided properly escaped.\n"); d_printf("See RFC 4514 for details\n"); return -1; } mem_ctx = talloc_init("add_gpo_link"); if (mem_ctx == NULL) { return -1; } if (argc == 3) { gpo_opt = atoi(argv[2]); } status = ads_startup(c, false, &ads); if (!ADS_ERR_OK(status)) { goto out; } status = ads_add_gpo_link(ads, mem_ctx, argv[0], argv[1], gpo_opt); if (!ADS_ERR_OK(status)) { d_printf("link add failed: %s\n", ads_errstr(status)); goto out; } out: talloc_destroy(mem_ctx); ads_destroy(&ads); return 0; }
ADS_STATUS ads_ranged_search(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, int scope, const char *base, const char *filter, void *args, const char *range_attr, char ***strings, size_t *num_strings) { ADS_STATUS status; uint32_t first_usn; int num_retries = 0; const char **attrs; bool more_values = False; *num_strings = 0; *strings = NULL; attrs = talloc_array(mem_ctx, const char *, 3); ADS_ERROR_HAVE_NO_MEMORY(attrs); attrs[0] = talloc_strdup(mem_ctx, range_attr); attrs[1] = talloc_strdup(mem_ctx, "usnChanged"); attrs[2] = NULL; ADS_ERROR_HAVE_NO_MEMORY(attrs[0]); ADS_ERROR_HAVE_NO_MEMORY(attrs[1]); do { status = ads_ranged_search_internal(ads, mem_ctx, scope, base, filter, attrs, args, range_attr, strings, num_strings, &first_usn, &num_retries, &more_values); if (NT_STATUS_EQUAL(STATUS_MORE_ENTRIES, ads_ntstatus(status))) { continue; } if (!ADS_ERR_OK(status)) { *num_strings = 0; strings = NULL; goto done; } } while (more_values); done: DEBUG(10,("returning with %d strings\n", (int)*num_strings)); return status; }
static int net_ads_gpo_link_get(struct net_context *c, int argc, const char **argv) { ADS_STRUCT *ads; ADS_STATUS status; TALLOC_CTX *mem_ctx; struct GP_LINK gp_link; if (argc < 1 || c->display_usage) { d_printf("Usage:\n" "net ads gpo linkget <container>\n" " Lists gPLink of a containter\n" " container\tContainer to get link for\n"); return -1; } mem_ctx = talloc_init("add_gpo_link"); if (mem_ctx == NULL) { return -1; } status = ads_startup(c, false, &ads); if (!ADS_ERR_OK(status)) { goto out; } status = ads_get_gpo_link(ads, mem_ctx, argv[0], &gp_link); if (!ADS_ERR_OK(status)) { d_printf("get link for %s failed: %s\n", argv[0], ads_errstr(status)); goto out; } dump_gplink(ads, mem_ctx, &gp_link); out: talloc_destroy(mem_ctx); ads_destroy(&ads); return 0; }
static ADS_STATUS ads_generate_service_principal(ADS_STRUCT *ads, const char *given_principal, struct ads_service_principal *p) { ADS_STATUS status; #ifdef HAVE_KRB5 gss_buffer_desc input_name; /* GSS_KRB5_NT_PRINCIPAL_NAME */ gss_OID_desc nt_principal = {10, discard_const_p(char, "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x01")}; uint32 minor_status; int gss_rc; #endif ZERO_STRUCTP(p); /* I've seen a child Windows 2000 domain not send the principal name back in the first round of the SASL bind reply. So we guess based on server name and realm. --jerry */ /* Also try best guess when we get the w2k8 ignore principal back, or when we are configured to ignore it - gd, abartlet */ if (!lp_client_use_spnego_principal() || !given_principal || strequal(given_principal, ADS_IGNORE_PRINCIPAL)) { status = ads_guess_service_principal(ads, &p->string); if (!ADS_ERR_OK(status)) { return status; } } else { p->string = SMB_STRDUP(given_principal); if (!p->string) { return ADS_ERROR(LDAP_NO_MEMORY); } } #ifdef HAVE_KRB5 input_name.value = p->string; input_name.length = strlen(p->string); gss_rc = gss_import_name(&minor_status, &input_name, &nt_principal, &p->name); if (gss_rc) { ads_free_service_principal(p); return ADS_ERROR_GSS(gss_rc, minor_status); } #endif return ADS_SUCCESS; }
WERROR nt_printer_guid_retrieve(TALLOC_CTX *mem_ctx, const char *printer, struct GUID *pguid) { ADS_STRUCT *ads = NULL; char *old_krb5ccname = NULL; char *printer_dn; WERROR result; ADS_STATUS ads_status; TALLOC_CTX *tmp_ctx; tmp_ctx = talloc_new(mem_ctx); if (tmp_ctx == NULL) { return WERR_NOMEM; } ads = ads_init(lp_realm(), lp_workgroup(), NULL); if (ads == NULL) { result = WERR_SERVER_UNAVAILABLE; goto out; } old_krb5ccname = getenv(KRB5_ENV_CCNAME); setenv(KRB5_ENV_CCNAME, "MEMORY:prtpub_cache", 1); SAFE_FREE(ads->auth.password); ads->auth.password = secrets_fetch_machine_password(lp_workgroup(), NULL, NULL); ads_status = ads_connect(ads); if (!ADS_ERR_OK(ads_status)) { DEBUG(3, ("ads_connect failed: %s\n", ads_errstr(ads_status))); result = WERR_ACCESS_DENIED; goto out; } result = nt_printer_dn_lookup(tmp_ctx, ads, printer, &printer_dn); if (!W_ERROR_IS_OK(result)) { goto out; } result = nt_printer_guid_retrieve_internal(ads, printer_dn, pguid); out: TALLOC_FREE(tmp_ctx); ads_destroy(&ads); ads_kdestroy("MEMORY:prtpub_cache"); unsetenv(KRB5_ENV_CCNAME); if (old_krb5ccname != NULL) { setenv(KRB5_ENV_CCNAME, old_krb5ccname, 0); } return result; }
static int ads_user_info(int argc, const char **argv) { ADS_STRUCT *ads; ADS_STATUS rc; void *res; const char *attrs[] = {"memberOf", NULL}; char *searchstring=NULL; char **grouplist; char *escaped_user = escape_ldap_string_alloc(argv[0]); if (argc < 1) { return net_ads_user_usage(argc, argv); } if (!(ads = ads_startup())) { return -1; } if (!escaped_user) { d_printf("ads_user_info: failed to escape user %s\n", argv[0]); ads_destroy(&ads); return -1; } asprintf(&searchstring, "(sAMAccountName=%s)", escaped_user); rc = ads_search(ads, &res, searchstring, attrs); safe_free(searchstring); if (!ADS_ERR_OK(rc)) { d_printf("ads_search: %s\n", ads_errstr(rc)); ads_destroy(&ads); return -1; } grouplist = ldap_get_values(ads->ld, res, "memberOf"); if (grouplist) { int i; char **groupname; for (i=0;grouplist[i];i++) { groupname = ldap_explode_dn(grouplist[i], 1); d_printf("%s\n", groupname[0]); ldap_value_free(groupname); } ldap_value_free(grouplist); } ads_msgfree(ads, res); ads_destroy(&ads); return 0; }
ADS_STATUS ads_sasl_bind(ADS_STRUCT *ads) { const char *attrs[] = {"supportedSASLMechanisms", NULL}; char **values; ADS_STATUS status; int i, j; LDAPMessage *res; struct ads_saslwrap *wrap = &ads->ldap_wrap_data; /* get a list of supported SASL mechanisms */ status = ads_do_search(ads, "", LDAP_SCOPE_BASE, "(objectclass=*)", attrs, &res); if (!ADS_ERR_OK(status)) return status; values = ldap_get_values(ads->ldap.ld, res, "supportedSASLMechanisms"); if (ads->auth.flags & ADS_AUTH_SASL_SEAL) { wrap->wrap_type = ADS_SASLWRAP_TYPE_SEAL; } else if (ads->auth.flags & ADS_AUTH_SASL_SIGN) { wrap->wrap_type = ADS_SASLWRAP_TYPE_SIGN; } else { wrap->wrap_type = ADS_SASLWRAP_TYPE_PLAIN; } /* try our supported mechanisms in order */ for (i=0;sasl_mechanisms[i].name;i++) { /* see if the server supports it */ for (j=0;values && values[j];j++) { if (strcmp(values[j], sasl_mechanisms[i].name) == 0) { DEBUG(4,("Found SASL mechanism %s\n", values[j])); retry: status = sasl_mechanisms[i].fn(ads); if (status.error_type == ENUM_ADS_ERROR_LDAP && status.err.rc == LDAP_STRONG_AUTH_REQUIRED && wrap->wrap_type == ADS_SASLWRAP_TYPE_PLAIN) { DEBUG(3,("SASL bin got LDAP_STRONG_AUTH_REQUIRED " "retrying with signing enabled\n")); wrap->wrap_type = ADS_SASLWRAP_TYPE_SIGN; goto retry; } ldap_value_free(values); ldap_msgfree(res); return status; } } } ldap_value_free(values); ldap_msgfree(res); return ADS_ERROR(LDAP_AUTH_METHOD_NOT_SUPPORTED); }
static int net_ads_gpo_link_delete(struct net_context *c, int argc, const char **argv) { ADS_STRUCT *ads; ADS_STATUS status; TALLOC_CTX *mem_ctx; if (argc < 2 || c->display_usage) { d_printf("Usage:\n" "net ads gpo linkdelete <linkdn> <gpodn>\n" " Delete a GPO link\n" " <linkdn>\tContainer to delete GPO from\n" " <gpodn>\tGPO to delete from container\n"); return -1; } mem_ctx = talloc_init("delete_gpo_link"); if (mem_ctx == NULL) { return -1; } status = ads_startup(c, false, &ads); if (!ADS_ERR_OK(status)) { goto out; } status = ads_delete_gpo_link(ads, mem_ctx, argv[0], argv[1]); if (!ADS_ERR_OK(status)) { d_printf("delete link failed: %s\n", ads_errstr(status)); goto out; } out: talloc_destroy(mem_ctx); ads_destroy(&ads); return 0; }
/* map a REG_DWORD to an ldap mod */ static bool map_dword(TALLOC_CTX *ctx, ADS_MODLIST *mods, const REGISTRY_VALUE *value) { char *str_value = NULL; ADS_STATUS status; if (value->type != REG_DWORD) return False; str_value = talloc_asprintf(ctx, "%d", *((uint32 *) value->data_p)); if (!str_value) { return False; } status = ads_mod_str(ctx, mods, value->valuename, str_value); return ADS_ERR_OK(status); }
int net_ads_changetrustpw(int argc, const char **argv) { ADS_STRUCT *ads; char *host_principal; fstring my_name; ADS_STATUS ret; if (!secrets_init()) { DEBUG(1,("Failed to initialise secrets database\n")); return -1; } net_use_machine_password(); use_in_memory_ccache(); if (!(ads = ads_startup())) { return -1; } fstrcpy(my_name, global_myname()); strlower_m(my_name); asprintf(&host_principal, "%s@%s", my_name, ads->config.realm); d_printf("Changing password for principal: HOST/%s\n", host_principal); ret = ads_change_trust_account_password(ads, host_principal); if (!ADS_ERR_OK(ret)) { d_printf("Password change failed :-( ...\n"); ads_destroy(&ads); SAFE_FREE(host_principal); return -1; } d_printf("Password change for principal HOST/%s succeeded.\n", host_principal); if (lp_use_kerberos_keytab()) { d_printf("Attempting to update system keytab with new password.\n"); if (ads_keytab_create_default(ads)) { d_printf("Failed to update system keytab.\n"); } } ads_destroy(&ads); SAFE_FREE(host_principal); return 0; }
/* map a boolean REG_BINARY to an ldap mod */ static bool map_bool(TALLOC_CTX *ctx, ADS_MODLIST *mods, const REGISTRY_VALUE *value) { char *str_value; ADS_STATUS status; if ((value->type != REG_BINARY) || (value->size != 1)) return False; str_value = talloc_asprintf(ctx, "%s", *(value->data_p) ? "TRUE" : "FALSE"); if (!str_value) { return False; } status = ads_mod_str(ctx, mods, value->valuename, str_value); return ADS_ERR_OK(status); }