r17094: merge fixes for 3.0.23a

author: Gerald Carter <jerry@samba.org> 2006-07-17 18:46:06 +0000
committer: Gerald Carter <jerry@samba.org> 2006-07-17 18:46:06 +0000
commit: b4bb14b5950debe92edfb9cea233833cd8d768b6 (patch)
tree: 5716c650a368ed4e62ac2547ac0a5cc7e16430b0 /source/utils/net_ads.c
parent: 4d5ef356461e7939a83e95096e5fdeeb277912db (diff)
download: samba-b4bb14b5950debe92edfb9cea233833cd8d768b6.tar.gz
samba-b4bb14b5950debe92edfb9cea233833cd8d768b6.tar.xz
samba-b4bb14b5950debe92edfb9cea233833cd8d768b6.zip
1 files changed, 124 insertions, 57 deletions
diff --git a/source/utils/net_ads.c b/source/utils/net_ads.c
index 9d122a466bb..5e84f229aa2 100644
--- a/source/utils/net_ads.c
+++ b/source/utils/net_ads.c
@@ -80,6 +80,17 @@ int net_ads_usage(int argc, const char **argv)
 	return -1;
 }
 
+/* when we do not have sufficient input parameters to contact a remote domain
+ * we always fall back to our own realm - Guenther*/
+
+static const char *assume_own_realm(void)
+{
+	if (!opt_host && strequal(lp_workgroup(), opt_target_workgroup)) {
+		return lp_realm();
+	}
+
+	return NULL;
+}
 
 /*
   do a cldap netlogon query
@@ -161,10 +172,7 @@ static int net_ads_lookup(int argc, const char **argv)
 {
 	ADS_STRUCT *ads;
 	ADS_STATUS status;
-	const char *realm = NULL;
-
-	if ( strequal(lp_workgroup(), opt_target_workgroup ) )
-		realm = lp_realm();
+	const char *realm = assume_own_realm();
 
 	ads = ads_init(realm, opt_target_workgroup, opt_host);
 	if (ads) {
@@ -190,8 +198,9 @@ static int net_ads_lookup(int argc, const char **argv)
 static int net_ads_info(int argc, const char **argv)
 {
 	ADS_STRUCT *ads;
+	const char *realm = assume_own_realm();
 
-	if ( (ads = ads_init(lp_realm(), opt_target_workgroup, opt_host)) != NULL ) {
+	if ( (ads = ads_init(realm, opt_target_workgroup, opt_host)) != NULL ) {
 		ads->auth.flags |= ADS_AUTH_NO_BIND;
 	}
 
@@ -228,20 +237,25 @@ static void use_in_memory_ccache(void) {
 	setenv(KRB5_ENV_CCNAME, "MEMORY:net_ads", 1);
 }
 
-static ADS_STRUCT *ads_startup(void)
+static ADS_STRUCT *ads_startup(BOOL only_own_domain)
 {
 	ADS_STRUCT *ads;
 	ADS_STATUS status;
 	BOOL need_password = False;
 	BOOL second_time = False;
 	char *cp;
+	const char *realm = NULL;
 	
 	/* lp_realm() should be handled by a command line param, 
 	   However, the join requires that realm be set in smb.conf
 	   and compares our realm with the remote server's so this is
 	   ok until someone needs more flexibility */
-	   
-	ads = ads_init(lp_realm(), opt_target_workgroup, opt_host);
+
+ 	if (only_own_domain) {
+		realm = lp_realm();
+	}
+   
+	ads = ads_init(realm, opt_target_workgroup, opt_host);
 
 	if (!opt_user_name) {
 		opt_user_name = "administrator";
@@ -299,12 +313,12 @@ retry:
   ads_startup() stores the password in opt_password if it needs to so
   that rpc or rap can use it without re-prompting.
 */
-int net_ads_check(void)
+static int net_ads_check_int(const char *realm, const char *workgroup, const char *host)
 {
 	ADS_STRUCT *ads;
 	ADS_STATUS status;
 
-	if ( (ads = ads_init( lp_realm(), lp_workgroup(), NULL )) == NULL ) {
+	if ( (ads = ads_init( realm, workgroup, host )) == NULL ) {
 		return -1;
 	}
 
@@ -319,6 +333,15 @@ int net_ads_check(void)
 	return 0;
 }
 
+int net_ads_check_our_domain(void)
+{
+	return net_ads_check_int(lp_realm(), lp_workgroup(), NULL);
+}
+
+int net_ads_check(void)
+{
+	return net_ads_check_int(NULL, opt_workgroup, opt_host);
+}
 /* 
    determine the netbios workgroup name for a domain
  */
@@ -326,12 +349,9 @@ static int net_ads_workgroup(int argc, const char **argv)
 {
 	ADS_STRUCT *ads;
 	ADS_STATUS status;
-	const char *realm = NULL;
+	const char *realm = assume_own_realm();
 	struct cldap_netlogon_reply reply;
 
-	if ( strequal(lp_workgroup(), opt_target_workgroup ) )
-		realm = lp_realm();
-
 	ads = ads_init(realm, opt_target_workgroup, opt_host);
 	if (ads) {
 		ads->auth.flags |= ADS_AUTH_NO_BIND;
@@ -405,7 +425,7 @@ static int ads_user_add(int argc, const char **argv)
 
 	if (argc < 1) return net_ads_user_usage(argc, argv);
 	
-	if (!(ads = ads_startup())) {
+	if (!(ads = ads_startup(False))) {
 		return -1;
 	}
 
@@ -490,7 +510,7 @@ static int ads_user_info(int argc, const char **argv)
 		return -1;
 	}
 
-	if (!(ads = ads_startup())) {
+	if (!(ads = ads_startup(False))) {
 		SAFE_FREE(escaped_user);
 		return -1;
 	}
@@ -506,7 +526,8 @@ static int ads_user_info(int argc, const char **argv)
 		return -1;
 	}
 	
-	grouplist = ldap_get_values(ads->ld, res, "memberOf");
+	grouplist = ldap_get_values((LDAP *)ads->ld,
+				    (LDAPMessage *)res, "memberOf");
 
 	if (grouplist) {
 		int i;
@@ -536,7 +557,7 @@ static int ads_user_delete(int argc, const char **argv)
 		return net_ads_user_usage(argc, argv);
 	}
 	
-	if (!(ads = ads_startup())) {
+	if (!(ads = ads_startup(False))) {
 		return -1;
 	}
 
@@ -576,7 +597,7 @@ int net_ads_user(int argc, const char **argv)
 	char *disp_fields[2] = {NULL, NULL};
 	
 	if (argc == 0) {
-		if (!(ads = ads_startup())) {
+		if (!(ads = ads_startup(False))) {
 			return -1;
 		}
 
@@ -591,7 +612,7 @@ int net_ads_user(int argc, const char **argv)
 					  shortattrs, usergrp_display, 
 					  disp_fields);
 		ads_destroy(&ads);
-		return 0;
+		return ADS_ERR_OK(rc) ? 0 : -1;
 	}
 
 	return net_run_function(argc, argv, func, net_ads_user_usage);
@@ -613,7 +634,7 @@ static int ads_group_add(int argc, const char **argv)
 		return net_ads_group_usage(argc, argv);
 	}
 	
-	if (!(ads = ads_startup())) {
+	if (!(ads = ads_startup(False))) {
 		return -1;
 	}
 
@@ -662,7 +683,7 @@ static int ads_group_delete(int argc, const char **argv)
 		return net_ads_group_usage(argc, argv);
 	}
 	
-	if (!(ads = ads_startup())) {
+	if (!(ads = ads_startup(False))) {
 		return -1;
 	}
 
@@ -701,7 +722,7 @@ int net_ads_group(int argc, const char **argv)
 	char *disp_fields[2] = {NULL, NULL};
 
 	if (argc == 0) {
-		if (!(ads = ads_startup())) {
+		if (!(ads = ads_startup(False))) {
 			return -1;
 		}
 
@@ -716,7 +737,7 @@ int net_ads_group(int argc, const char **argv)
 					  disp_fields);
 
 		ads_destroy(&ads);
-		return 0;
+		return ADS_ERR_OK(rc) ? 0 : -1;
 	}
 	return net_run_function(argc, argv, func, net_ads_group_usage);
 }
@@ -727,7 +748,7 @@ static int net_ads_status(int argc, const char **argv)
 	ADS_STATUS rc;
 	void *res;
 
-	if (!(ads = ads_startup())) {
+	if (!(ads = ads_startup(True))) {
 		return -1;
 	}
 
@@ -776,7 +797,7 @@ static int net_ads_leave(int argc, const char **argv)
 	/* The finds a DC and takes care of getting the 
 	   user creds if necessary */
 
-	if (!(ads = ads_startup())) {
+	if (!(ads = ads_startup(True))) {
 		return -1;
 	}
 
@@ -826,7 +847,7 @@ static int net_ads_join_ok(void)
 
 	net_use_machine_password();
 
-	if (!(ads = ads_startup())) {
+	if (!(ads = ads_startup(True))) {
 		return -1;
 	}
 
@@ -1011,7 +1032,7 @@ static ADS_STATUS net_precreate_machine_acct( ADS_STRUCT *ads, const char *ou )
 	asprintf(&dn, "%s,%s", ou_str, ads->config.bind_path);
 	free(ou_str);
 
-	rc = ads_search_dn(ads, (void**)&res, dn, NULL);
+	rc = ads_search_dn(ads, &res, dn, NULL);
 	ads_msgfree(ads, res);
 
 	if (ADS_ERR_OK(rc)) {
@@ -1029,6 +1050,61 @@ static ADS_STATUS net_precreate_machine_acct( ADS_STRUCT *ads, const char *ou )
 	return rc;
 }
 
+/************************************************************************
+ ************************************************************************/
+
+static BOOL net_derive_salting_principal( TALLOC_CTX *ctx, ADS_STRUCT *ads )
+{
+	uint32 domain_func;
+	ADS_STATUS status;
+	fstring salt;
+	char *std_salt;
+	LDAPMessage *res = NULL;
+	const char *machine_name = global_myname();
+
+	status = ads_domain_func_level( ads, &domain_func );
+	if ( !ADS_ERR_OK(status) ) {
+		DEBUG(2,("Failed to determine domain functional level!\n"));
+		return False;
+	}
+
+	/* go ahead and setup the default salt */
+
+	if ( (std_salt = kerberos_standard_des_salt()) == NULL ) {
+		DEBUG(0,("net_derive_salting_principal: failed to obtain stanard DES salt\n"));
+		return False;
+	}
+
+	fstrcpy( salt, std_salt );
+	SAFE_FREE( std_salt );
+	
+	/* if it's a Windows functional domain, we have to look for the UPN */
+	   
+	if ( domain_func == DS_DOMAIN_FUNCTION_2000 ) {	
+		char *upn;
+		int count;
+		
+		status = ads_find_machine_acct(ads, (void **)(void *)&res, machine_name);
+		if (!ADS_ERR_OK(status)) {
+			return False;
+		}
+		
+		if ( (count = ads_count_replies(ads, res)) != 1 ) {
+			DEBUG(1,("net_set_machine_spn: %d entries returned!\n", count));
+			return False;
+		}
+		
+		upn = ads_pull_string(ads, ctx, res, "userPrincipalName");
+		if ( upn ) {
+			fstrcpy( salt, upn );
+		}
+		
+		ads_msgfree(ads, res);
+	}
+
+	return kerberos_secrets_store_des_salt( salt );
+}
+
 /*******************************************************************
   join a domain using ADS (LDAP mods)
  ********************************************************************/
@@ -1049,7 +1125,7 @@ int net_ads_join(int argc, const char **argv)
 		return -1;
 	}
 
-	if ( (ads = ads_startup()) == NULL ) {
+	if ( (ads = ads_startup(True)) == NULL ) {
 		return -1;
 	}
 
@@ -1139,30 +1215,16 @@ int net_ads_join(int argc, const char **argv)
 		/* don't fail */
 	}
 
-#if defined(HAVE_KRB5) 
-	if (asprintf(&machine_account, "%s$", global_myname()) == -1) {
-		d_fprintf(stderr, "asprintf failed\n");
-		ads_destroy(&ads);
-		return -1;
-	}
-
-	if (!kerberos_derive_salting_principal(machine_account)) {
+	if ( !net_derive_salting_principal( ctx, ads ) ) {
 		DEBUG(1,("Failed to determine salting principal\n"));
 		ads_destroy(&ads);
 		return -1;
 	}
 
-	if (!kerberos_derive_cifs_salting_principals()) {
-		DEBUG(1,("Failed to determine salting principals\n"));
-		ads_destroy(&ads);
-		return -1;
-	}
-	
 	/* Now build the keytab, using the same ADS connection */
 	if (lp_use_kerberos_keytab() && ads_keytab_create_default(ads)) {
 		DEBUG(1,("Error creating host keytab!\n"));
 	}
-#endif
 
 	d_printf("Joined '%s' to realm '%s'\n", global_myname(), ads->config.realm);
 
@@ -1202,7 +1264,7 @@ static int net_ads_printer_search(int argc, const char **argv)
 	ADS_STATUS rc;
 	void *res = NULL;
 
-	if (!(ads = ads_startup())) {
+	if (!(ads = ads_startup(False))) {
 		return -1;
 	}
 
@@ -1235,7 +1297,7 @@ static int net_ads_printer_info(int argc, const char **argv)
 	const char *servername, *printername;
 	void *res = NULL;
 
-	if (!(ads = ads_startup())) {
+	if (!(ads = ads_startup(False))) {
 		return -1;
 	}
 
@@ -1294,7 +1356,7 @@ static int net_ads_printer_publish(int argc, const char **argv)
 	char *prt_dn, *srv_dn, **srv_cn;
 	void *res = NULL;
 
-	if (!(ads = ads_startup())) {
+	if (!(ads = ads_startup(True))) {
 		return -1;
 	}
 
@@ -1340,7 +1402,7 @@ static int net_ads_printer_publish(int argc, const char **argv)
 		return -1;
 	}
 
-	srv_dn = ldap_get_dn(ads->ld, res);
+	srv_dn = ldap_get_dn((LDAP *)ads->ld, (LDAPMessage *)res);
 	srv_cn = ldap_explode_dn(srv_dn, 1);
 
 	asprintf(&prt_dn, "cn=%s-%s,%s", srv_cn[0], printername, srv_dn);
@@ -1377,7 +1439,7 @@ static int net_ads_printer_remove(int argc, const char **argv)
 	char *prt_dn;
 	void *res = NULL;
 
-	if (!(ads = ads_startup())) {
+	if (!(ads = ads_startup(True))) {
 		return -1;
 	}
 
@@ -1473,7 +1535,7 @@ static int net_ads_password(int argc, const char **argv)
 
 	/* use the realm so we can eventually change passwords for users 
 	in realms other than default */
-	if (!(ads = ads_init(realm, opt_workgroup, NULL))) {
+	if (!(ads = ads_init(realm, opt_workgroup, opt_host))) {
 		return -1;
 	}
 
@@ -1524,7 +1586,7 @@ int net_ads_changetrustpw(int argc, const char **argv)
 
 	use_in_memory_ccache();
 
-	if (!(ads = ads_startup())) {
+	if (!(ads = ads_startup(True))) {
 		return -1;
 	}
 
@@ -1589,7 +1651,7 @@ static int net_ads_search(int argc, const char **argv)
 		return net_ads_search_usage(argc, argv);
 	}
 
-	if (!(ads = ads_startup())) {
+	if (!(ads = ads_startup(False))) {
 		return -1;
 	}
 
@@ -1649,7 +1711,7 @@ static int net_ads_dn(int argc, const char **argv)
 		return net_ads_dn_usage(argc, argv);
 	}
 
-	if (!(ads = ads_startup())) {
+	if (!(ads = ads_startup(False))) {
 		return -1;
 	}
 
@@ -1709,7 +1771,7 @@ static int net_ads_sid(int argc, const char **argv)
 		return net_ads_sid_usage(argc, argv);
 	}
 
-	if (!(ads = ads_startup())) {
+	if (!(ads = ads_startup(False))) {
 		return -1;
 	}
 
@@ -1766,7 +1828,7 @@ static int net_ads_keytab_flush(int argc, const char **argv)
 	int ret;
 	ADS_STRUCT *ads;
 
-	if (!(ads = ads_startup())) {
+	if (!(ads = ads_startup(True))) {
 		return -1;
 	}
 	ret = ads_keytab_flush(ads);
@@ -1781,7 +1843,7 @@ static int net_ads_keytab_add(int argc, const char **argv)
 	ADS_STRUCT *ads;
 
 	d_printf("Processing principals to add...\n");
-	if (!(ads = ads_startup())) {
+	if (!(ads = ads_startup(True))) {
 		return -1;
 	}
 	for (i = 0; i < argc; i++) {
@@ -1796,7 +1858,7 @@ static int net_ads_keytab_create(int argc, const char **argv)
 	ADS_STRUCT *ads;
 	int ret;
 
-	if (!(ads = ads_startup())) {
+	if (!(ads = ads_startup(True))) {
 		return -1;
 	}
 	ret = ads_keytab_create_default(ads);
@@ -1919,6 +1981,11 @@ int net_ads_check(void)
 	return -1;
 }
 
+int net_ads_check_our_domain(void)
+{
+	return -1;
+}
+
 int net_ads(int argc, const char **argv)
 {
 	return net_ads_usage(argc, argv);
author	Gerald Carter <jerry@samba.org>	2006-07-17 18:46:06 +0000
committer	Gerald Carter <jerry@samba.org>	2006-07-17 18:46:06 +0000
commit	b4bb14b5950debe92edfb9cea233833cd8d768b6 (patch)
tree	5716c650a368ed4e62ac2547ac0a5cc7e16430b0 /source/utils/net_ads.c
parent	4d5ef356461e7939a83e95096e5fdeeb277912db (diff)
download	samba-b4bb14b5950debe92edfb9cea233833cd8d768b6.tar.gz samba-b4bb14b5950debe92edfb9cea233833cd8d768b6.tar.xz samba-b4bb14b5950debe92edfb9cea233833cd8d768b6.zip