static int net_ads_info(int argc, const char **argv) { ADS_STRUCT *ads; ads = ads_init(NULL, opt_target_workgroup, opt_host); if (ads) { ads->auth.flags |= ADS_AUTH_NO_BIND; } ads_connect(ads); if (!ads || !ads->config.realm) { d_printf("Didn't find the ldap server!\n"); return -1; } d_printf("LDAP server: %s\n", inet_ntoa(ads->ldap_ip)); d_printf("LDAP server name: %s\n", ads->config.ldap_server_name); d_printf("Realm: %s\n", ads->config.realm); d_printf("Bind Path: %s\n", ads->config.bind_path); d_printf("LDAP port: %d\n", ads->ldap_port); d_printf("Server time: %s\n", http_timestring(ads->config.current_time)); d_printf("KDC server: %s\n", ads->auth.kdc_server ); d_printf("Server time offset: %d\n", ads->auth.time_offset ); return 0; }
WERROR ads_startup (struct libnet_context *netctx, ADS_STRUCT **ads) { *ads = talloc(netctx, ADS_STRUCT); (*ads)->netctx = netctx; ads_connect(*ads); return WERR_OK; }
WERROR nt_printer_guid_retrieve(TALLOC_CTX *mem_ctx, const char *printer, struct GUID *pguid) { ADS_STRUCT *ads = NULL; char *old_krb5ccname = NULL; char *printer_dn; WERROR result; ADS_STATUS ads_status; TALLOC_CTX *tmp_ctx; tmp_ctx = talloc_new(mem_ctx); if (tmp_ctx == NULL) { return WERR_NOMEM; } ads = ads_init(lp_realm(), lp_workgroup(), NULL); if (ads == NULL) { result = WERR_SERVER_UNAVAILABLE; goto out; } old_krb5ccname = getenv(KRB5_ENV_CCNAME); setenv(KRB5_ENV_CCNAME, "MEMORY:prtpub_cache", 1); SAFE_FREE(ads->auth.password); ads->auth.password = secrets_fetch_machine_password(lp_workgroup(), NULL, NULL); ads_status = ads_connect(ads); if (!ADS_ERR_OK(ads_status)) { DEBUG(3, ("ads_connect failed: %s\n", ads_errstr(ads_status))); result = WERR_ACCESS_DENIED; goto out; } result = nt_printer_dn_lookup(tmp_ctx, ads, printer, &printer_dn); if (!W_ERROR_IS_OK(result)) { goto out; } result = nt_printer_guid_retrieve_internal(ads, printer_dn, pguid); out: TALLOC_FREE(tmp_ctx); ads_destroy(&ads); ads_kdestroy("MEMORY:prtpub_cache"); unsetenv(KRB5_ENV_CCNAME); if (old_krb5ccname != NULL) { setenv(KRB5_ENV_CCNAME, old_krb5ccname, 0); } return result; }
/* this implements the CLDAP based netlogon lookup requests for finding the domain controller of a ADS domain */ static int net_ads_lookup(int argc, const char **argv) { ADS_STRUCT *ads; ads = ads_init(NULL, opt_target_workgroup, opt_host); if (ads) { ads->auth.flags |= ADS_AUTH_NO_BIND; } ads_connect(ads); if (!ads || !ads->config.realm) { d_printf("Didn't find the cldap server!\n"); return -1; } return ads_cldap_netlogon(ads); }
static BOOL ads_dc_name(const char *domain, const char *realm, struct in_addr *dc_ip, fstring srv_name) { #if 1 /* AR7 */ return False; #else ADS_STRUCT *ads; if (!realm && strequal(domain, lp_workgroup())) realm = lp_realm(); ads = ads_init(realm, domain, NULL); if (!ads) return False; DEBUG(4,("ads_dc_name: domain=%s\n", domain)); #ifdef HAVE_ADS /* we don't need to bind, just connect */ ads->auth.flags |= ADS_AUTH_NO_BIND; ads_connect(ads); #endif if (!ads->config.realm) { ads_destroy(&ads); return False; } fstrcpy(srv_name, ads->config.ldap_server_name); strupper_m(srv_name); *dc_ip = ads->ldap_ip; ads_destroy(&ads); DEBUG(4,("ads_dc_name: using server='%s' IP=%s\n", srv_name, inet_ntoa(*dc_ip))); return True; #endif /* AR7 */ }
static ADS_STRUCT *ads_startup(void) { ADS_STRUCT *ads; ADS_STATUS status; BOOL need_password = False; BOOL second_time = False; char *cp; /* lp_realm() should be handled by a command line param, However, the join requires that realm be set in smb.conf and compares our realm with the remote server's so this is ok until someone needs more flexibility */ ads = ads_init(lp_realm(), opt_target_workgroup, opt_host); if (!opt_user_name) { opt_user_name = "administrator"; } if (opt_user_specified) { need_password = True; } retry: if (!opt_password && need_password && !opt_machine_pass) { char *prompt; asprintf(&prompt,"%s's password: "******"name@realm", * extract the realm and convert to upper case. * This is only used to establish the connection. */ if ((cp = strchr(ads->auth.user_name, '@'))!=0) { *cp++ = '\0'; ads->auth.realm = smb_xstrdup(cp); strupper_m(ads->auth.realm); } status = ads_connect(ads); if (!ADS_ERR_OK(status)) { if (!need_password && !second_time) { need_password = True; second_time = True; goto retry; } else { DEBUG(0,("ads_connect: %s\n", ads_errstr(status))); return NULL; } } return ads; }
static int net_ads_password(int argc, const char **argv) { ADS_STRUCT *ads; const char *auth_principal = opt_user_name; const char *auth_password = opt_password; char *realm = NULL; char *new_password = NULL; char *c, *prompt; const char *user; ADS_STATUS ret; if (opt_user_name == NULL || opt_password == NULL) { d_printf("You must supply an administrator username/password\n"); return -1; } if (argc < 1) { d_printf("ERROR: You must say which username to change password for\n"); return -1; } user = argv[0]; if (!strchr_m(user, '@')) { asprintf(&c, "%s@%s", argv[0], lp_realm()); user = c; } use_in_memory_ccache(); c = strchr(auth_principal, '@'); if (c) { realm = ++c; } else { realm = lp_realm(); } /* use the realm so we can eventually change passwords for users in realms other than default */ if (!(ads = ads_init(realm, NULL, NULL))) { return -1; } /* we don't actually need a full connect, but it's the easy way to fill in the KDC's addresss */ ads_connect(ads); if (!ads || !ads->config.realm) { d_printf("Didn't find the kerberos server!\n"); return -1; } if (argv[1]) { new_password = (char *)argv[1]; } else { asprintf(&prompt, "Enter new password for %s:", user); new_password = getpass(prompt); free(prompt); } ret = kerberos_set_password(ads->auth.kdc_server, auth_principal, auth_password, user, new_password, ads->auth.time_offset); if (!ADS_ERR_OK(ret)) { d_printf("Password change failed :-( ...\n"); ads_destroy(&ads); return -1; } d_printf("Password change for %s completed.\n", user); ads_destroy(&ads); return 0; }
/* a wrapper around ldap_search_s that retries depending on the error code this is supposed to catch dropped connections and auto-reconnect */ ADS_STATUS ads_do_search_retry(ADS_STRUCT *ads, const char *bind_path, int scope, const char *expr, const char **attrs, void **res) { ADS_STATUS status; int count = 3; char *bp; *res = NULL; if (!ads->ld && time(NULL) - ads->last_attempt < ADS_RECONNECT_TIME) { return ADS_ERROR(LDAP_SERVER_DOWN); } bp = strdup(bind_path); if (!bp) { return ADS_ERROR_NT(NT_STATUS_NO_MEMORY); } while (count--) { *res = NULL; status = ads_do_search_all(ads, bp, scope, expr, attrs, res); if (ADS_ERR_OK(status)) { DEBUG(5,("Search for %s gave %d replies\n", expr, ads_count_replies(ads, *res))); SAFE_FREE(bp); return status; } if (*res) ads_msgfree(ads, *res); *res = NULL; DEBUG(3,("Reopening ads connection to realm '%s' after error %s\n", ads->config.realm, ads_errstr(status))); if (ads->ld) { ldap_unbind(ads->ld); } ads->ld = NULL; status = ads_connect(ads); if (!ADS_ERR_OK(status)) { DEBUG(1,("ads_search_retry: failed to reconnect (%s)\n", ads_errstr(status))); ads_destroy(&ads); SAFE_FREE(bp); return status; } } SAFE_FREE(bp); if (!ADS_ERR_OK(status)) DEBUG(1,("ads reopen failed after error %s\n", ads_errstr(status))); return status; }
static NTSTATUS _idmap_adex_init(struct idmap_domain *dom) { ADS_STRUCT *ads = NULL; ADS_STATUS status; static NTSTATUS init_status = NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND; struct dom_sid domain_sid; fstring dcname; struct sockaddr_storage ip; struct likewise_cell *lwcell; if (NT_STATUS_IS_OK(init_status)) return NT_STATUS_OK; /* Silently fail if we are not a member server in security = ads */ if ((lp_server_role() != ROLE_DOMAIN_MEMBER) || (lp_security() != SEC_ADS)) { init_status = NT_STATUS_INVALID_SERVER_STATE; BAIL_ON_NTSTATUS_ERROR(init_status); } /* fetch our domain SID first */ if (!secrets_fetch_domain_sid(lp_workgroup(), &domain_sid)) { init_status = NT_STATUS_CANT_ACCESS_DOMAIN_INFO; BAIL_ON_NTSTATUS_ERROR(init_status); } /* reuse the same ticket cache as winbindd */ setenv("KRB5CCNAME", WINBIND_CCACHE_NAME, 1); /* Establish a connection to a DC */ if ((ads = ads_init(lp_realm(), lp_workgroup(), NULL)) == NULL) { init_status = NT_STATUS_NO_MEMORY; BAIL_ON_NTSTATUS_ERROR(init_status); } ads->auth.password = secrets_fetch_machine_password(lp_workgroup(), NULL, NULL); ads->auth.realm = SMB_STRDUP(lp_realm()); /* get the DC name here to setup the server affinity cache and local krb5.conf */ get_dc_name(lp_workgroup(), lp_realm(), dcname, &ip); status = ads_connect(ads); if (!ADS_ERR_OK(status)) { DEBUG(0, ("_idmap_adex_init: ads_connect() failed! (%s)\n", ads_errstr(status))); } init_status = ads_ntstatus(status); BAIL_ON_NTSTATUS_ERROR(init_status); /* Find out cell membership */ init_status = cell_locate_membership(ads); if (!NT_STATUS_IS_OK(init_status)) { DEBUG(0,("LWI: Fail to locate cell membership (%s).", nt_errstr(init_status))); goto done; } /* Fill in the cell information */ lwcell = cell_list_head(); init_status = cell_lookup_settings(lwcell); BAIL_ON_NTSTATUS_ERROR(init_status); /* Miscellaneous setup. E.g. set up the list of GC servers and domain list for our forest (does not actually connect). */ init_status = gc_init_list(); BAIL_ON_NTSTATUS_ERROR(init_status); init_status = domain_init_list(); BAIL_ON_NTSTATUS_ERROR(init_status); done: if (!NT_STATUS_IS_OK(init_status)) { DEBUG(1,("Likewise initialization failed (%s)\n", nt_errstr(init_status))); } /* cleanup */ if (!NT_STATUS_IS_OK(init_status)) { cell_list_destroy(); /* init_status stores the failure reason but we need to return success or else idmap_init() will drop us from the backend list */ return NT_STATUS_OK; } init_status = NT_STATUS_OK; return init_status; }
static BOOL ads_dc_name(const char *domain, const char *realm, struct in_addr *dc_ip, fstring srv_name) { #if 1 /* AVM */ return False; #else ADS_STRUCT *ads; char *sitename; int i; if (!realm && strequal(domain, lp_workgroup())) { realm = lp_realm(); } sitename = sitename_fetch(realm); /* Try this 3 times then give up. */ for( i =0 ; i < 3; i++) { ads = ads_init(realm, domain, NULL); if (!ads) { SAFE_FREE(sitename); return False; } DEBUG(4,("ads_dc_name: domain=%s\n", domain)); #ifdef HAVE_ADS /* we don't need to bind, just connect */ ads->auth.flags |= ADS_AUTH_NO_BIND; ads_connect(ads); #endif if (!ads->config.realm) { SAFE_FREE(sitename); ads_destroy(&ads); return False; } /* Now we've found a server, see if our sitename has changed. If so, we need to re-do the DNS query to ensure we only find servers in our site. */ if (stored_sitename_changed(realm, sitename)) { SAFE_FREE(sitename); sitename = sitename_fetch(realm); ads_destroy(&ads); /* Ensure we don't cache the DC we just connected to. */ namecache_delete(realm, 0x1C); namecache_delete(domain, 0x1C); continue; } #ifdef HAVE_KRB5 if (is_our_primary_domain(domain) && (ads->config.flags & ADS_KDC)) { if (ads_closest_dc(ads)) { /* We're going to use this KDC for this realm/domain. If we are using sites, then force the krb5 libs to use this KDC. */ create_local_private_krb5_conf_for_domain(realm, domain, sitename, ads->ldap_ip); } else { /* use an off site KDC */ create_local_private_krb5_conf_for_domain(realm, domain, NULL, ads->ldap_ip); } } #endif break; } if (i == 3) { DEBUG(1,("ads_dc_name: sitename (now \"%s\") keeps changing ???\n", sitename ? sitename : "")); SAFE_FREE(sitename); return False; } SAFE_FREE(sitename); fstrcpy(srv_name, ads->config.ldap_server_name); strupper_m(srv_name); *dc_ip = ads->ldap_ip; ads_destroy(&ads); DEBUG(4,("ads_dc_name: using server='%s' IP=%s\n", srv_name, inet_ntoa(*dc_ip))); return True; #endif /* AVM */ }
/* return our ads connections structure for a domain. We keep the connection open to make things faster */ static ADS_STRUCT *ads_cached_connection(struct winbindd_domain *domain) { ADS_STRUCT *ads; ADS_STATUS status; fstring dc_name; struct sockaddr_storage dc_ss; DEBUG(10,("ads_cached_connection\n")); if (domain->private_data) { time_t expire; time_t now = time(NULL); /* check for a valid structure */ ads = (ADS_STRUCT *)domain->private_data; expire = MIN(ads->auth.tgt_expire, ads->auth.tgs_expire); DEBUG(7, ("Current tickets expire in %d seconds (at %d, time is now %d)\n", (uint32)expire-(uint32)now, (uint32) expire, (uint32) now)); if ( ads->config.realm && (expire > now)) { return ads; } else { /* we own this ADS_STRUCT so make sure it goes away */ DEBUG(7,("Deleting expired krb5 credential cache\n")); ads->is_mine = True; ads_destroy( &ads ); ads_kdestroy("MEMORY:winbind_ccache"); domain->private_data = NULL; } } /* we don't want this to affect the users ccache */ setenv("KRB5CCNAME", "MEMORY:winbind_ccache", 1); ads = ads_init(domain->alt_name, domain->name, NULL); if (!ads) { DEBUG(1,("ads_init for domain %s failed\n", domain->name)); return NULL; } /* the machine acct password might have change - fetch it every time */ SAFE_FREE(ads->auth.password); SAFE_FREE(ads->auth.realm); if ( IS_DC ) { if ( !pdb_get_trusteddom_pw( domain->name, &ads->auth.password, NULL, NULL ) ) { ads_destroy( &ads ); return NULL; } ads->auth.realm = SMB_STRDUP( ads->server.realm ); strupper_m( ads->auth.realm ); } else { struct winbindd_domain *our_domain = domain; ads->auth.password = secrets_fetch_machine_password(lp_workgroup(), NULL, NULL); /* always give preference to the alt_name in our primary domain if possible */ if ( !domain->primary ) our_domain = find_our_domain(); if ( our_domain->alt_name[0] != '\0' ) { ads->auth.realm = SMB_STRDUP( our_domain->alt_name ); strupper_m( ads->auth.realm ); } else ads->auth.realm = SMB_STRDUP( lp_realm() ); } ads->auth.renewable = WINBINDD_PAM_AUTH_KRB5_RENEW_TIME; /* Setup the server affinity cache. We don't reaally care about the name. Just setup affinity and the KRB5_CONFIG file. */ get_dc_name( ads->server.workgroup, ads->server.realm, dc_name, &dc_ss ); status = ads_connect(ads); if (!ADS_ERR_OK(status) || !ads->config.realm) { DEBUG(1,("ads_connect for domain %s failed: %s\n", domain->name, ads_errstr(status))); ads_destroy(&ads); /* if we get ECONNREFUSED then it might be a NT4 server, fall back to MSRPC */ if (status.error_type == ENUM_ADS_ERROR_SYSTEM && status.err.rc == ECONNREFUSED) { /* 'reconnect_methods' is the MS-RPC backend. */ DEBUG(1,("Trying MSRPC methods\n")); domain->backend = &reconnect_methods; } return NULL; } /* set the flag that says we don't own the memory even though we do so that ads_destroy() won't destroy the structure we pass back by reference */ ads->is_mine = False; domain->private_data = (void *)ads; return ads; }
NTSTATUS cell_connect(struct likewise_cell *c) { ADS_STRUCT *ads = NULL; ADS_STATUS ads_status; fstring dc_name; struct sockaddr_storage dcip; NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL; /* have to at least have the AD domain name */ if (!c->dns_domain) { nt_status = NT_STATUS_CANT_ACCESS_DOMAIN_INFO; BAIL_ON_NTSTATUS_ERROR(nt_status); } /* clear out any old information */ if (c->conn) { ads_destroy(&c->conn); c->conn = NULL; } /* now setup the new connection */ ads = ads_init(c->dns_domain, NULL, NULL); BAIL_ON_PTR_ERROR(ads, nt_status); ads->auth.password = secrets_fetch_machine_password(lp_workgroup(), NULL, NULL); ads->auth.realm = SMB_STRDUP(lp_realm()); /* Make the connection. We should already have an initial TGT using the machine creds */ if (cell_flags(c) & LWCELL_FLAG_GC_CELL) { ads_status = ads_connect_gc(ads); } else { /* Set up server affinity for normal cells and the client site name cache */ if (!get_dc_name("", c->dns_domain, dc_name, &dcip)) { nt_status = NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND; BAIL_ON_NTSTATUS_ERROR(nt_status); } ads_status = ads_connect(ads); } c->conn = ads; nt_status = ads_ntstatus(ads_status); done: if (!NT_STATUS_IS_OK(nt_status)) { ads_destroy(&ads); c->conn = NULL; } return nt_status; }
/* a wrapper around ldap_search_s that retries depending on the error code this is supposed to catch dropped connections and auto-reconnect */ static ADS_STATUS ads_do_search_retry_internal(ADS_STRUCT *ads, const char *bind_path, int scope, const char *expr, const char **attrs, void *args, LDAPMessage **res) { ADS_STATUS status = ADS_SUCCESS; int count = 3; char *bp; *res = NULL; if (!ads->ldap.ld && time_mono(NULL) - ads->ldap.last_attempt < ADS_RECONNECT_TIME) { return ADS_ERROR(LDAP_SERVER_DOWN); } bp = SMB_STRDUP(bind_path); if (!bp) { return ADS_ERROR(LDAP_NO_MEMORY); } *res = NULL; /* when binding anonymously, we cannot use the paged search LDAP * control - Guenther */ if (ads->auth.flags & ADS_AUTH_ANON_BIND) { status = ads_do_search(ads, bp, scope, expr, attrs, res); } else { status = ads_do_search_all_args(ads, bp, scope, expr, attrs, args, res); } if (ADS_ERR_OK(status)) { DEBUG(5,("Search for %s in <%s> gave %d replies\n", expr, bp, ads_count_replies(ads, *res))); SAFE_FREE(bp); return status; } while (--count) { if (NT_STATUS_EQUAL(ads_ntstatus(status), NT_STATUS_IO_TIMEOUT) && ads->config.ldap_page_size >= 250) { int new_page_size = (ads->config.ldap_page_size / 2); DEBUG(1, ("Reducing LDAP page size from %d to %d due to IO_TIMEOUT\n", ads->config.ldap_page_size, new_page_size)); ads->config.ldap_page_size = new_page_size; } if (*res) ads_msgfree(ads, *res); *res = NULL; DEBUG(3,("Reopening ads connection to realm '%s' after error %s\n", ads->config.realm, ads_errstr(status))); ads_disconnect(ads); status = ads_connect(ads); if (!ADS_ERR_OK(status)) { DEBUG(1,("ads_search_retry: failed to reconnect (%s)\n", ads_errstr(status))); ads_destroy(&ads); SAFE_FREE(bp); return status; } *res = NULL; /* when binding anonymously, we cannot use the paged search LDAP * control - Guenther */ if (ads->auth.flags & ADS_AUTH_ANON_BIND) { status = ads_do_search(ads, bp, scope, expr, attrs, res); } else { status = ads_do_search_all_args(ads, bp, scope, expr, attrs, args, res); } if (ADS_ERR_OK(status)) { DEBUG(5,("Search for filter: %s, base: %s gave %d replies\n", expr, bp, ads_count_replies(ads, *res))); SAFE_FREE(bp); return status; } } SAFE_FREE(bp); if (!ADS_ERR_OK(status)) { DEBUG(1,("ads reopen failed after error %s\n", ads_errstr(status))); } return status; }
WERROR check_published_printers(struct messaging_context *msg_ctx) { ADS_STATUS ads_rc; ADS_STRUCT *ads = NULL; int snum; int n_services = lp_numservices(); TALLOC_CTX *tmp_ctx = NULL; struct auth_serversupplied_info *session_info = NULL; struct spoolss_PrinterInfo2 *pinfo2; NTSTATUS status; WERROR result; tmp_ctx = talloc_new(NULL); if (!tmp_ctx) return WERR_NOMEM; ads = ads_init(lp_realm(), lp_workgroup(), NULL); if (!ads) { DEBUG(3, ("ads_init() failed\n")); return WERR_SERVER_UNAVAILABLE; } setenv(KRB5_ENV_CCNAME, "MEMORY:prtpub_cache", 1); SAFE_FREE(ads->auth.password); ads->auth.password = secrets_fetch_machine_password(lp_workgroup(), NULL, NULL); /* ads_connect() will find the DC for us */ ads_rc = ads_connect(ads); if (!ADS_ERR_OK(ads_rc)) { DEBUG(3, ("ads_connect failed: %s\n", ads_errstr(ads_rc))); result = WERR_ACCESS_DENIED; goto done; } status = make_session_info_system(tmp_ctx, &session_info); if (!NT_STATUS_IS_OK(status)) { DEBUG(0, ("check_published_printers: " "Could not create system session_info\n")); result = WERR_ACCESS_DENIED; goto done; } for (snum = 0; snum < n_services; snum++) { if (!lp_snum_ok(snum) || !lp_print_ok(snum)) { continue; } result = winreg_get_printer(tmp_ctx, session_info, msg_ctx, lp_servicename(snum), &pinfo2); if (!W_ERROR_IS_OK(result)) { continue; } if (pinfo2->attributes & PRINTER_ATTRIBUTE_PUBLISHED) { nt_printer_publish_ads(msg_ctx, ads, pinfo2); } TALLOC_FREE(pinfo2); } result = WERR_OK; done: ads_destroy(&ads); ads_kdestroy("MEMORY:prtpub_cache"); talloc_free(tmp_ctx); return result; }
WERROR nt_printer_publish(TALLOC_CTX *mem_ctx, const struct auth_serversupplied_info *session_info, struct messaging_context *msg_ctx, struct spoolss_PrinterInfo2 *pinfo2, int action) { uint32_t info2_mask = SPOOLSS_PRINTER_INFO_ATTRIBUTES; struct spoolss_SetPrinterInfo2 *sinfo2; ADS_STATUS ads_rc; ADS_STRUCT *ads = NULL; WERROR win_rc; sinfo2 = talloc_zero(mem_ctx, struct spoolss_SetPrinterInfo2); if (!sinfo2) { return WERR_NOMEM; } switch (action) { case DSPRINT_PUBLISH: case DSPRINT_UPDATE: pinfo2->attributes |= PRINTER_ATTRIBUTE_PUBLISHED; break; case DSPRINT_UNPUBLISH: pinfo2->attributes ^= PRINTER_ATTRIBUTE_PUBLISHED; break; default: win_rc = WERR_NOT_SUPPORTED; goto done; } sinfo2->attributes = pinfo2->attributes; win_rc = winreg_update_printer(mem_ctx, session_info, msg_ctx, pinfo2->sharename, info2_mask, sinfo2, NULL, NULL); if (!W_ERROR_IS_OK(win_rc)) { DEBUG(3, ("err %d saving data\n", W_ERROR_V(win_rc))); goto done; } TALLOC_FREE(sinfo2); ads = ads_init(lp_realm(), lp_workgroup(), NULL); if (!ads) { DEBUG(3, ("ads_init() failed\n")); win_rc = WERR_SERVER_UNAVAILABLE; goto done; } setenv(KRB5_ENV_CCNAME, "MEMORY:prtpub_cache", 1); SAFE_FREE(ads->auth.password); ads->auth.password = secrets_fetch_machine_password(lp_workgroup(), NULL, NULL); /* ads_connect() will find the DC for us */ ads_rc = ads_connect(ads); if (!ADS_ERR_OK(ads_rc)) { DEBUG(3, ("ads_connect failed: %s\n", ads_errstr(ads_rc))); win_rc = WERR_ACCESS_DENIED; goto done; } switch (action) { case DSPRINT_PUBLISH: case DSPRINT_UPDATE: win_rc = nt_printer_publish_ads(msg_ctx, ads, pinfo2); break; case DSPRINT_UNPUBLISH: win_rc = nt_printer_unpublish_ads(ads, pinfo2->sharename); break; } done: ads_destroy(&ads); return win_rc; }
/** * @brief Establish a connection to a DC * * @param[out] adsp ADS_STRUCT that will be created * @param[in] target_realm Realm of domain to connect to * @param[in] target_dom_name 'workgroup' name of domain to connect to * @param[in] ldap_server DNS name of server to connect to * @param[in] password Our machine acount secret * @param[in] auth_realm Realm of local domain for creating krb token * @param[in] renewable Renewable ticket time * * @return ADS_STATUS */ static ADS_STATUS ads_cached_connection_connect(ADS_STRUCT **adsp, const char *target_realm, const char *target_dom_name, const char *ldap_server, char *password, char *auth_realm, time_t renewable) { ADS_STRUCT *ads; ADS_STATUS status; struct sockaddr_storage dc_ss; fstring dc_name; if (auth_realm == NULL) { return ADS_ERROR_NT(NT_STATUS_UNSUCCESSFUL); } /* we don't want this to affect the users ccache */ setenv("KRB5CCNAME", WINBIND_CCACHE_NAME, 1); ads = ads_init(target_realm, target_dom_name, ldap_server); if (!ads) { DEBUG(1,("ads_init for domain %s failed\n", target_dom_name)); return ADS_ERROR(LDAP_NO_MEMORY); } SAFE_FREE(ads->auth.password); SAFE_FREE(ads->auth.realm); ads->auth.renewable = renewable; ads->auth.password = password; ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP; ads->auth.realm = SMB_STRDUP(auth_realm); if (!strupper_m(ads->auth.realm)) { ads_destroy(&ads); return ADS_ERROR_NT(NT_STATUS_INTERNAL_ERROR); } /* Setup the server affinity cache. We don't reaally care about the name. Just setup affinity and the KRB5_CONFIG file. */ get_dc_name(ads->server.workgroup, ads->server.realm, dc_name, &dc_ss); status = ads_connect(ads); if (!ADS_ERR_OK(status)) { DEBUG(1,("ads_connect for domain %s failed: %s\n", target_dom_name, ads_errstr(status))); ads_destroy(&ads); return status; } /* set the flag that says we don't own the memory even though we do so that ads_destroy() won't destroy the structure we pass back by reference */ ads->is_mine = False; *adsp = ads; return status; }