diff options
author | Gerald Carter <jerry@samba.org> | 2006-07-17 18:46:06 +0000 |
---|---|---|
committer | Gerald Carter <jerry@samba.org> | 2006-07-17 18:46:06 +0000 |
commit | b4bb14b5950debe92edfb9cea233833cd8d768b6 (patch) | |
tree | 5716c650a368ed4e62ac2547ac0a5cc7e16430b0 /source/utils/net_ads.c | |
parent | 4d5ef356461e7939a83e95096e5fdeeb277912db (diff) | |
download | samba-b4bb14b5950debe92edfb9cea233833cd8d768b6.tar.gz samba-b4bb14b5950debe92edfb9cea233833cd8d768b6.tar.xz samba-b4bb14b5950debe92edfb9cea233833cd8d768b6.zip |
r17094: merge fixes for 3.0.23a
Diffstat (limited to 'source/utils/net_ads.c')
-rw-r--r-- | source/utils/net_ads.c | 181 |
1 files changed, 124 insertions, 57 deletions
diff --git a/source/utils/net_ads.c b/source/utils/net_ads.c index 9d122a466bb..5e84f229aa2 100644 --- a/source/utils/net_ads.c +++ b/source/utils/net_ads.c @@ -80,6 +80,17 @@ int net_ads_usage(int argc, const char **argv) return -1; } +/* when we do not have sufficient input parameters to contact a remote domain + * we always fall back to our own realm - Guenther*/ + +static const char *assume_own_realm(void) +{ + if (!opt_host && strequal(lp_workgroup(), opt_target_workgroup)) { + return lp_realm(); + } + + return NULL; +} /* do a cldap netlogon query @@ -161,10 +172,7 @@ static int net_ads_lookup(int argc, const char **argv) { ADS_STRUCT *ads; ADS_STATUS status; - const char *realm = NULL; - - if ( strequal(lp_workgroup(), opt_target_workgroup ) ) - realm = lp_realm(); + const char *realm = assume_own_realm(); ads = ads_init(realm, opt_target_workgroup, opt_host); if (ads) { @@ -190,8 +198,9 @@ static int net_ads_lookup(int argc, const char **argv) static int net_ads_info(int argc, const char **argv) { ADS_STRUCT *ads; + const char *realm = assume_own_realm(); - if ( (ads = ads_init(lp_realm(), opt_target_workgroup, opt_host)) != NULL ) { + if ( (ads = ads_init(realm, opt_target_workgroup, opt_host)) != NULL ) { ads->auth.flags |= ADS_AUTH_NO_BIND; } @@ -228,20 +237,25 @@ static void use_in_memory_ccache(void) { setenv(KRB5_ENV_CCNAME, "MEMORY:net_ads", 1); } -static ADS_STRUCT *ads_startup(void) +static ADS_STRUCT *ads_startup(BOOL only_own_domain) { ADS_STRUCT *ads; ADS_STATUS status; BOOL need_password = False; BOOL second_time = False; char *cp; + const char *realm = NULL; /* lp_realm() should be handled by a command line param, However, the join requires that realm be set in smb.conf and compares our realm with the remote server's so this is ok until someone needs more flexibility */ - - ads = ads_init(lp_realm(), opt_target_workgroup, opt_host); + + if (only_own_domain) { + realm = lp_realm(); + } + + ads = ads_init(realm, opt_target_workgroup, opt_host); if (!opt_user_name) { opt_user_name = "administrator"; @@ -299,12 +313,12 @@ retry: ads_startup() stores the password in opt_password if it needs to so that rpc or rap can use it without re-prompting. */ -int net_ads_check(void) +static int net_ads_check_int(const char *realm, const char *workgroup, const char *host) { ADS_STRUCT *ads; ADS_STATUS status; - if ( (ads = ads_init( lp_realm(), lp_workgroup(), NULL )) == NULL ) { + if ( (ads = ads_init( realm, workgroup, host )) == NULL ) { return -1; } @@ -319,6 +333,15 @@ int net_ads_check(void) return 0; } +int net_ads_check_our_domain(void) +{ + return net_ads_check_int(lp_realm(), lp_workgroup(), NULL); +} + +int net_ads_check(void) +{ + return net_ads_check_int(NULL, opt_workgroup, opt_host); +} /* determine the netbios workgroup name for a domain */ @@ -326,12 +349,9 @@ static int net_ads_workgroup(int argc, const char **argv) { ADS_STRUCT *ads; ADS_STATUS status; - const char *realm = NULL; + const char *realm = assume_own_realm(); struct cldap_netlogon_reply reply; - if ( strequal(lp_workgroup(), opt_target_workgroup ) ) - realm = lp_realm(); - ads = ads_init(realm, opt_target_workgroup, opt_host); if (ads) { ads->auth.flags |= ADS_AUTH_NO_BIND; @@ -405,7 +425,7 @@ static int ads_user_add(int argc, const char **argv) if (argc < 1) return net_ads_user_usage(argc, argv); - if (!(ads = ads_startup())) { + if (!(ads = ads_startup(False))) { return -1; } @@ -490,7 +510,7 @@ static int ads_user_info(int argc, const char **argv) return -1; } - if (!(ads = ads_startup())) { + if (!(ads = ads_startup(False))) { SAFE_FREE(escaped_user); return -1; } @@ -506,7 +526,8 @@ static int ads_user_info(int argc, const char **argv) return -1; } - grouplist = ldap_get_values(ads->ld, res, "memberOf"); + grouplist = ldap_get_values((LDAP *)ads->ld, + (LDAPMessage *)res, "memberOf"); if (grouplist) { int i; @@ -536,7 +557,7 @@ static int ads_user_delete(int argc, const char **argv) return net_ads_user_usage(argc, argv); } - if (!(ads = ads_startup())) { + if (!(ads = ads_startup(False))) { return -1; } @@ -576,7 +597,7 @@ int net_ads_user(int argc, const char **argv) char *disp_fields[2] = {NULL, NULL}; if (argc == 0) { - if (!(ads = ads_startup())) { + if (!(ads = ads_startup(False))) { return -1; } @@ -591,7 +612,7 @@ int net_ads_user(int argc, const char **argv) shortattrs, usergrp_display, disp_fields); ads_destroy(&ads); - return 0; + return ADS_ERR_OK(rc) ? 0 : -1; } return net_run_function(argc, argv, func, net_ads_user_usage); @@ -613,7 +634,7 @@ static int ads_group_add(int argc, const char **argv) return net_ads_group_usage(argc, argv); } - if (!(ads = ads_startup())) { + if (!(ads = ads_startup(False))) { return -1; } @@ -662,7 +683,7 @@ static int ads_group_delete(int argc, const char **argv) return net_ads_group_usage(argc, argv); } - if (!(ads = ads_startup())) { + if (!(ads = ads_startup(False))) { return -1; } @@ -701,7 +722,7 @@ int net_ads_group(int argc, const char **argv) char *disp_fields[2] = {NULL, NULL}; if (argc == 0) { - if (!(ads = ads_startup())) { + if (!(ads = ads_startup(False))) { return -1; } @@ -716,7 +737,7 @@ int net_ads_group(int argc, const char **argv) disp_fields); ads_destroy(&ads); - return 0; + return ADS_ERR_OK(rc) ? 0 : -1; } return net_run_function(argc, argv, func, net_ads_group_usage); } @@ -727,7 +748,7 @@ static int net_ads_status(int argc, const char **argv) ADS_STATUS rc; void *res; - if (!(ads = ads_startup())) { + if (!(ads = ads_startup(True))) { return -1; } @@ -776,7 +797,7 @@ static int net_ads_leave(int argc, const char **argv) /* The finds a DC and takes care of getting the user creds if necessary */ - if (!(ads = ads_startup())) { + if (!(ads = ads_startup(True))) { return -1; } @@ -826,7 +847,7 @@ static int net_ads_join_ok(void) net_use_machine_password(); - if (!(ads = ads_startup())) { + if (!(ads = ads_startup(True))) { return -1; } @@ -1011,7 +1032,7 @@ static ADS_STATUS net_precreate_machine_acct( ADS_STRUCT *ads, const char *ou ) asprintf(&dn, "%s,%s", ou_str, ads->config.bind_path); free(ou_str); - rc = ads_search_dn(ads, (void**)&res, dn, NULL); + rc = ads_search_dn(ads, &res, dn, NULL); ads_msgfree(ads, res); if (ADS_ERR_OK(rc)) { @@ -1029,6 +1050,61 @@ static ADS_STATUS net_precreate_machine_acct( ADS_STRUCT *ads, const char *ou ) return rc; } +/************************************************************************ + ************************************************************************/ + +static BOOL net_derive_salting_principal( TALLOC_CTX *ctx, ADS_STRUCT *ads ) +{ + uint32 domain_func; + ADS_STATUS status; + fstring salt; + char *std_salt; + LDAPMessage *res = NULL; + const char *machine_name = global_myname(); + + status = ads_domain_func_level( ads, &domain_func ); + if ( !ADS_ERR_OK(status) ) { + DEBUG(2,("Failed to determine domain functional level!\n")); + return False; + } + + /* go ahead and setup the default salt */ + + if ( (std_salt = kerberos_standard_des_salt()) == NULL ) { + DEBUG(0,("net_derive_salting_principal: failed to obtain stanard DES salt\n")); + return False; + } + + fstrcpy( salt, std_salt ); + SAFE_FREE( std_salt ); + + /* if it's a Windows functional domain, we have to look for the UPN */ + + if ( domain_func == DS_DOMAIN_FUNCTION_2000 ) { + char *upn; + int count; + + status = ads_find_machine_acct(ads, (void **)(void *)&res, machine_name); + if (!ADS_ERR_OK(status)) { + return False; + } + + if ( (count = ads_count_replies(ads, res)) != 1 ) { + DEBUG(1,("net_set_machine_spn: %d entries returned!\n", count)); + return False; + } + + upn = ads_pull_string(ads, ctx, res, "userPrincipalName"); + if ( upn ) { + fstrcpy( salt, upn ); + } + + ads_msgfree(ads, res); + } + + return kerberos_secrets_store_des_salt( salt ); +} + /******************************************************************* join a domain using ADS (LDAP mods) ********************************************************************/ @@ -1049,7 +1125,7 @@ int net_ads_join(int argc, const char **argv) return -1; } - if ( (ads = ads_startup()) == NULL ) { + if ( (ads = ads_startup(True)) == NULL ) { return -1; } @@ -1139,30 +1215,16 @@ int net_ads_join(int argc, const char **argv) /* don't fail */ } -#if defined(HAVE_KRB5) - if (asprintf(&machine_account, "%s$", global_myname()) == -1) { - d_fprintf(stderr, "asprintf failed\n"); - ads_destroy(&ads); - return -1; - } - - if (!kerberos_derive_salting_principal(machine_account)) { + if ( !net_derive_salting_principal( ctx, ads ) ) { DEBUG(1,("Failed to determine salting principal\n")); ads_destroy(&ads); return -1; } - if (!kerberos_derive_cifs_salting_principals()) { - DEBUG(1,("Failed to determine salting principals\n")); - ads_destroy(&ads); - return -1; - } - /* Now build the keytab, using the same ADS connection */ if (lp_use_kerberos_keytab() && ads_keytab_create_default(ads)) { DEBUG(1,("Error creating host keytab!\n")); } -#endif d_printf("Joined '%s' to realm '%s'\n", global_myname(), ads->config.realm); @@ -1202,7 +1264,7 @@ static int net_ads_printer_search(int argc, const char **argv) ADS_STATUS rc; void *res = NULL; - if (!(ads = ads_startup())) { + if (!(ads = ads_startup(False))) { return -1; } @@ -1235,7 +1297,7 @@ static int net_ads_printer_info(int argc, const char **argv) const char *servername, *printername; void *res = NULL; - if (!(ads = ads_startup())) { + if (!(ads = ads_startup(False))) { return -1; } @@ -1294,7 +1356,7 @@ static int net_ads_printer_publish(int argc, const char **argv) char *prt_dn, *srv_dn, **srv_cn; void *res = NULL; - if (!(ads = ads_startup())) { + if (!(ads = ads_startup(True))) { return -1; } @@ -1340,7 +1402,7 @@ static int net_ads_printer_publish(int argc, const char **argv) return -1; } - srv_dn = ldap_get_dn(ads->ld, res); + srv_dn = ldap_get_dn((LDAP *)ads->ld, (LDAPMessage *)res); srv_cn = ldap_explode_dn(srv_dn, 1); asprintf(&prt_dn, "cn=%s-%s,%s", srv_cn[0], printername, srv_dn); @@ -1377,7 +1439,7 @@ static int net_ads_printer_remove(int argc, const char **argv) char *prt_dn; void *res = NULL; - if (!(ads = ads_startup())) { + if (!(ads = ads_startup(True))) { return -1; } @@ -1473,7 +1535,7 @@ static int net_ads_password(int argc, const char **argv) /* use the realm so we can eventually change passwords for users in realms other than default */ - if (!(ads = ads_init(realm, opt_workgroup, NULL))) { + if (!(ads = ads_init(realm, opt_workgroup, opt_host))) { return -1; } @@ -1524,7 +1586,7 @@ int net_ads_changetrustpw(int argc, const char **argv) use_in_memory_ccache(); - if (!(ads = ads_startup())) { + if (!(ads = ads_startup(True))) { return -1; } @@ -1589,7 +1651,7 @@ static int net_ads_search(int argc, const char **argv) return net_ads_search_usage(argc, argv); } - if (!(ads = ads_startup())) { + if (!(ads = ads_startup(False))) { return -1; } @@ -1649,7 +1711,7 @@ static int net_ads_dn(int argc, const char **argv) return net_ads_dn_usage(argc, argv); } - if (!(ads = ads_startup())) { + if (!(ads = ads_startup(False))) { return -1; } @@ -1709,7 +1771,7 @@ static int net_ads_sid(int argc, const char **argv) return net_ads_sid_usage(argc, argv); } - if (!(ads = ads_startup())) { + if (!(ads = ads_startup(False))) { return -1; } @@ -1766,7 +1828,7 @@ static int net_ads_keytab_flush(int argc, const char **argv) int ret; ADS_STRUCT *ads; - if (!(ads = ads_startup())) { + if (!(ads = ads_startup(True))) { return -1; } ret = ads_keytab_flush(ads); @@ -1781,7 +1843,7 @@ static int net_ads_keytab_add(int argc, const char **argv) ADS_STRUCT *ads; d_printf("Processing principals to add...\n"); - if (!(ads = ads_startup())) { + if (!(ads = ads_startup(True))) { return -1; } for (i = 0; i < argc; i++) { @@ -1796,7 +1858,7 @@ static int net_ads_keytab_create(int argc, const char **argv) ADS_STRUCT *ads; int ret; - if (!(ads = ads_startup())) { + if (!(ads = ads_startup(True))) { return -1; } ret = ads_keytab_create_default(ads); @@ -1919,6 +1981,11 @@ int net_ads_check(void) return -1; } +int net_ads_check_our_domain(void) +{ + return -1; +} + int net_ads(int argc, const char **argv) { return net_ads_usage(argc, argv); |