Context Navigation

source: branches/samba-3.2.x/source/libads/ldap.c@ 272

Visit:

Last change on this file since 272 was 272, checked in by Herwig Bauernfeind, 16 years ago
Update 3.2 to 3.2.12
File size: 97.4 KB

Line
1	/*
2	Unix SMB/CIFS implementation.
3	ads (active directory) utility library
4	Copyright (C) Andrew Tridgell 2001
5	Copyright (C) Remus Koos 2001
6	Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2002
7	Copyright (C) Guenther Deschner 2005
8	Copyright (C) Gerald Carter 2006
9
10	This program is free software; you can redistribute it and/or modify
11	it under the terms of the GNU General Public License as published by
12	the Free Software Foundation; either version 3 of the License, or
13	(at your option) any later version.
14
15	This program is distributed in the hope that it will be useful,
16	but WITHOUT ANY WARRANTY; without even the implied warranty of
17	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18	GNU General Public License for more details.
19
20	You should have received a copy of the GNU General Public License
21	along with this program. If not, see <http://www.gnu.org/licenses/>.
22	*/
23
24	#include "includes.h"
25	#include "lib/ldb/include/includes.h"
26
27	#ifdef HAVE_LDAP
28
29	/**
30	* @file ldap.c
31	* @brief basic ldap client-side routines for ads server communications
32	*
33	* The routines contained here should do the necessary ldap calls for
34	* ads setups.
35	*
36	* Important note: attribute names passed into ads_ routines must
37	* already be in UTF-8 format. We do not convert them because in almost
38	* all cases, they are just ascii (which is represented with the same
39	* codepoints in UTF-8). This may have to change at some point
40	**/
41
42
43	#define LDAP_SERVER_TREE_DELETE_OID "1.2.840.113556.1.4.805"
44
45	static SIG_ATOMIC_T gotalarm;
46
47	/***************************************************************
48	Signal function to tell us we timed out.
49	****************************************************************/
50
51	static void gotalarm_sig(void)
52	{
53	gotalarm = 1;
54	}
55
56	LDAP ldap_open_with_timeout(const char server, int port, unsigned int to)
57	{
58	LDAP *ldp = NULL;
59
60
61	DEBUG(10, ("Opening connection to LDAP server '%s:%d', timeout "
62	"%u seconds\n", server, port, to));
63
64	/* Setup timeout */
65	gotalarm = 0;
66	CatchSignal(SIGALRM, SIGNAL_CAST gotalarm_sig);
67	alarm(to);
68	/* End setup timeout. */
69
70	ldp = ldap_open(server, port);
71
72	if (ldp == NULL) {
73	DEBUG(2,("Could not open connection to LDAP server %s:%d: %s\n",
74	server, port, strerror(errno)));
75	} else {
76	DEBUG(10, ("Connected to LDAP server '%s:%d'\n", server, port));
77	}
78
79	/* Teardown timeout. */
80	CatchSignal(SIGALRM, SIGNAL_CAST SIG_IGN);
81	alarm(0);
82
83	return ldp;
84	}
85
86	static int ldap_search_with_timeout(LDAP *ld,
87	LDAP_CONST char *base,
88	int scope,
89	LDAP_CONST char *filter,
90	char **attrs,
91	int attrsonly,
92	LDAPControl **sctrls,
93	LDAPControl **cctrls,
94	int sizelimit,
95	LDAPMessage **res )
96	{
97	struct timeval timeout;
98	int result;
99
100	/* Setup timeout for the ldap_search_ext_s call - local and remote. */
101	timeout.tv_sec = lp_ldap_timeout();
102	timeout.tv_usec = 0;
103
104	/* Setup alarm timeout.... Do we need both of these ? JRA. */
105	gotalarm = 0;
106	CatchSignal(SIGALRM, SIGNAL_CAST gotalarm_sig);
107	alarm(lp_ldap_timeout());
108	/* End setup timeout. */
109
110	result = ldap_search_ext_s(ld, base, scope, filter, attrs,
111	attrsonly, sctrls, cctrls, &timeout,
112	sizelimit, res);
113
114	/* Teardown timeout. */
115	CatchSignal(SIGALRM, SIGNAL_CAST SIG_IGN);
116	alarm(0);
117
118	if (gotalarm != 0)
119	return LDAP_TIMELIMIT_EXCEEDED;
120
121	/*
122	* A bug in OpenLDAP means ldap_search_ext_s can return
123	* LDAP_SUCCESS but with a NULL res pointer. Cope with
124	* this. See bug #6279 for details. JRA.
125	*/
126
127	if (*res == NULL) {
128	return LDAP_TIMELIMIT_EXCEEDED;
129	}
130
131	return result;
132	}
133
134	/**********************************************
135	Do client and server sitename match ?
136	**********************************************/
137
138	bool ads_sitename_match(ADS_STRUCT *ads)
139	{
140	if (ads->config.server_site_name == NULL &&
141	ads->config.client_site_name == NULL ) {
142	DEBUG(10,("ads_sitename_match: both null\n"));
143	return True;
144	}
145	if (ads->config.server_site_name &&
146	ads->config.client_site_name &&
147	strequal(ads->config.server_site_name,
148	ads->config.client_site_name)) {
149	DEBUG(10,("ads_sitename_match: name %s match\n", ads->config.server_site_name));
150	return True;
151	}
152	DEBUG(10,("ads_sitename_match: no match between server: %s and client: %s\n",
153	ads->config.server_site_name ? ads->config.server_site_name : "NULL",
154	ads->config.client_site_name ? ads->config.client_site_name : "NULL"));
155	return False;
156	}
157
158	/**********************************************
159	Is this the closest DC ?
160	**********************************************/
161
162	bool ads_closest_dc(ADS_STRUCT *ads)
163	{
164	if (ads->config.flags & NBT_SERVER_CLOSEST) {
165	DEBUG(10,("ads_closest_dc: NBT_SERVER_CLOSEST flag set\n"));
166	return True;
167	}
168
169	/* not sure if this can ever happen */
170	if (ads_sitename_match(ads)) {
171	DEBUG(10,("ads_closest_dc: NBT_SERVER_CLOSEST flag not set but sites match\n"));
172	return True;
173	}
174
175	if (ads->config.client_site_name == NULL) {
176	DEBUG(10,("ads_closest_dc: client belongs to no site\n"));
177	return True;
178	}
179
180	DEBUG(10,("ads_closest_dc: %s is not the closest DC\n",
181	ads->config.ldap_server_name));
182
183	return False;
184	}
185
186
187	/*
188	try a connection to a given ldap server, returning True and setting the servers IP
189	in the ads struct if successful
190	*/
191	bool ads_try_connect(ADS_STRUCT ads, const char server )
192	{
193	char *srv;
194	struct nbt_cldap_netlogon_5 cldap_reply;
195	TALLOC_CTX *mem_ctx = NULL;
196	bool ret = false;
197
198	if (!server \|\| !*server) {
199	return False;
200	}
201
202	DEBUG(5,("ads_try_connect: sending CLDAP request to %s (realm: %s)\n",
203	server, ads->server.realm));
204
205	mem_ctx = talloc_init("ads_try_connect");
206	if (!mem_ctx) {
207	DEBUG(0,("out of memory\n"));
208	return false;
209	}
210
211	/* this copes with inet_ntoa brokenness */
212
213	srv = SMB_STRDUP(server);
214
215	ZERO_STRUCT( cldap_reply );
216
217	if ( !ads_cldap_netlogon_5(mem_ctx, srv, ads->server.realm, &cldap_reply ) ) {
218	DEBUG(3,("ads_try_connect: CLDAP request %s failed.\n", srv));
219	ret = false;
220	goto out;
221	}
222
223	/* Check the CLDAP reply flags */
224
225	if ( !(cldap_reply.server_type & NBT_SERVER_LDAP) ) {
226	DEBUG(1,("ads_try_connect: %s's CLDAP reply says it is not an LDAP server!\n",
227	srv));
228	ret = false;
229	goto out;
230	}
231
232	/* Fill in the ads->config values */
233
234	SAFE_FREE(ads->config.realm);
235	SAFE_FREE(ads->config.bind_path);
236	SAFE_FREE(ads->config.ldap_server_name);
237	SAFE_FREE(ads->config.server_site_name);
238	SAFE_FREE(ads->config.client_site_name);
239	SAFE_FREE(ads->server.workgroup);
240
241	ads->config.flags = cldap_reply.server_type;
242	ads->config.ldap_server_name = SMB_STRDUP(cldap_reply.pdc_dns_name);
243	ads->config.realm = SMB_STRDUP(cldap_reply.dns_domain);
244	strupper_m(ads->config.realm);
245	ads->config.bind_path = ads_build_dn(ads->config.realm);
246	if (*cldap_reply.server_site) {
247	ads->config.server_site_name =
248	SMB_STRDUP(cldap_reply.server_site);
249	}
250	if (*cldap_reply.client_site) {
251	ads->config.client_site_name =
252	SMB_STRDUP(cldap_reply.client_site);
253	}
254	ads->server.workgroup = SMB_STRDUP(cldap_reply.domain);
255
256	ads->ldap.port = LDAP_PORT;
257	if (!interpret_string_addr(&ads->ldap.ss, srv, 0)) {
258	DEBUG(1,("ads_try_connect: unable to convert %s "
259	"to an address\n",
260	srv));
261	ret = false;
262	goto out;
263	}
264
265	/* Store our site name. */
266	sitename_store( cldap_reply.domain, cldap_reply.client_site);
267	sitename_store( cldap_reply.dns_domain, cldap_reply.client_site);
268
269	ret = true;
270	out:
271	SAFE_FREE(srv);
272	TALLOC_FREE(mem_ctx);
273
274	return ret;
275	}
276
277	/**********************************************************************
278	Try to find an AD dc using our internal name resolution routines
279	Try the realm first and then then workgroup name if netbios is not
280	disabled
281	**********************************************************************/
282
283	static NTSTATUS ads_find_dc(ADS_STRUCT *ads)
284	{
285	const char *c_domain;
286	const char *c_realm;
287	int count, i=0;
288	struct ip_service *ip_list;
289	const char *realm;
290	const char *domain;
291	bool got_realm = False;
292	bool use_own_domain = False;
293	char *sitename;
294	NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
295
296	/* if the realm and workgroup are both empty, assume they are ours */
297
298	/* realm */
299	c_realm = ads->server.realm;
300
301	if ( !c_realm \|\| !*c_realm ) {
302	/* special case where no realm and no workgroup means our own */
303	if ( !ads->server.workgroup \|\| !*ads->server.workgroup ) {
304	use_own_domain = True;
305	c_realm = lp_realm();
306	}
307	}
308
309	if (c_realm && *c_realm)
310	got_realm = True;
311
312	again:
313
314	/* we need to try once with the realm name and fallback to the
315	netbios domain name if we fail (if netbios has not been disabled */
316
317	if ( !got_realm && !lp_disable_netbios() ) {
318	c_realm = ads->server.workgroup;
319	if (!c_realm \|\| !*c_realm) {
320	if ( use_own_domain )
321	c_realm = lp_workgroup();
322	}
323	}
324
325	if ( !c_realm \|\| !*c_realm ) {
326	DEBUG(0,("ads_find_dc: no realm or workgroup! Don't know what to do\n"));
327	return NT_STATUS_INVALID_PARAMETER; /* rather need MISSING_PARAMETER ... */
328	}
329
330	if ( use_own_domain ) {
331	c_domain = lp_workgroup();
332	} else {
333	c_domain = ads->server.workgroup;
334	}
335
336	realm = c_realm;
337	domain = c_domain;
338
339	/*
340	* In case of LDAP we use get_dc_name() as that
341	* creates the custom krb5.conf file
342	*/
343	if (!(ads->auth.flags & ADS_AUTH_NO_BIND)) {
344	fstring srv_name;
345	struct sockaddr_storage ip_out;
346
347	DEBUG(6,("ads_find_dc: (ldap) looking for %s '%s'\n",
348	(got_realm ? "realm" : "domain"), realm));
349
350	if (get_dc_name(domain, realm, srv_name, &ip_out)) {
351	/*
352	* we call ads_try_connect() to fill in the
353	* ads->config details
354	*/
355	if (ads_try_connect(ads, srv_name)) {
356	return NT_STATUS_OK;
357	}
358	}
359
360	return NT_STATUS_NO_LOGON_SERVERS;
361	}
362
363	sitename = sitename_fetch(realm);
364
365	DEBUG(6,("ads_find_dc: (cldap) looking for %s '%s'\n",
366	(got_realm ? "realm" : "domain"), realm));
367
368	status = get_sorted_dc_list(realm, sitename, &ip_list, &count, got_realm);
369	if (!NT_STATUS_IS_OK(status)) {
370	/* fall back to netbios if we can */
371	if ( got_realm && !lp_disable_netbios() ) {
372	got_realm = False;
373	goto again;
374	}
375
376	SAFE_FREE(sitename);
377	return status;
378	}
379
380	/* if we fail this loop, then giveup since all the IP addresses returned were dead */
381	for ( i=0; i<count; i++ ) {
382	char server[INET6_ADDRSTRLEN];
383
384	print_sockaddr(server, sizeof(server), &ip_list[i].ss);
385
386	if ( !NT_STATUS_IS_OK(check_negative_conn_cache(realm, server)) )
387	continue;
388
389	if (!got_realm) {
390	/* realm in this case is a workgroup name. We need
391	to ignore any IP addresses in the negative connection
392	cache that match ip addresses returned in the ad realm
393	case. It sucks that I have to reproduce the logic above... */
394	c_realm = ads->server.realm;
395	if ( !c_realm \|\| !*c_realm ) {
396	if ( !ads->server.workgroup \|\| !*ads->server.workgroup ) {
397	c_realm = lp_realm();
398	}
399	}
400	if (c_realm && *c_realm &&
401	!NT_STATUS_IS_OK(check_negative_conn_cache(c_realm, server))) {
402	/* Ensure we add the workgroup name for this
403	IP address as negative too. */
404	add_failed_connection_entry( realm, server, NT_STATUS_UNSUCCESSFUL );
405	continue;
406	}
407	}
408
409	if ( ads_try_connect(ads, server) ) {
410	SAFE_FREE(ip_list);
411	SAFE_FREE(sitename);
412	return NT_STATUS_OK;
413	}
414
415	/* keep track of failures */
416	add_failed_connection_entry( realm, server, NT_STATUS_UNSUCCESSFUL );
417	}
418
419	SAFE_FREE(ip_list);
420
421	/* In case we failed to contact one of our closest DC on our site we
422	* need to try to find another DC, retry with a site-less SRV DNS query
423	* - Guenther */
424
425	if (sitename) {
426	DEBUG(1,("ads_find_dc: failed to find a valid DC on our site (%s), "
427	"trying to find another DC\n", sitename));
428	SAFE_FREE(sitename);
429	namecache_delete(realm, 0x1C);
430	goto again;
431	}
432
433	return NT_STATUS_NO_LOGON_SERVERS;
434	}
435
436
437	/**
438	* Connect to the LDAP server
439	* @param ads Pointer to an existing ADS_STRUCT
440	* @return status of connection
441	**/
442	ADS_STATUS ads_connect(ADS_STRUCT *ads)
443	{
444	int version = LDAP_VERSION3;
445	ADS_STATUS status;
446	NTSTATUS ntstatus;
447	char addr[INET6_ADDRSTRLEN];
448
449	ZERO_STRUCT(ads->ldap);
450	ads->ldap.last_attempt = time(NULL);
451	ads->ldap.wrap_type = ADS_SASLWRAP_TYPE_PLAIN;
452
453	/* try with a user specified server */
454
455	if (DEBUGLEVEL >= 11) {
456	char *s = NDR_PRINT_STRUCT_STRING(talloc_tos(), ads_struct, ads);
457	DEBUG(11,("ads_connect: entering\n"));
458	DEBUGADD(11,("%s\n", s));
459	TALLOC_FREE(s);
460	}
461
462	if (ads->server.ldap_server &&
463	ads_try_connect(ads, ads->server.ldap_server)) {
464	goto got_connection;
465	}
466
467	ntstatus = ads_find_dc(ads);
468	if (NT_STATUS_IS_OK(ntstatus)) {
469	goto got_connection;
470	}
471
472	status = ADS_ERROR_NT(ntstatus);
473	goto out;
474
475	got_connection:
476
477	print_sockaddr(addr, sizeof(addr), &ads->ldap.ss);
478	DEBUG(3,("Successfully contacted LDAP server %s\n", addr));
479
480	if (!ads->auth.user_name) {
481	/* Must use the userPrincipalName value here or sAMAccountName
482	and not servicePrincipalName; found by Guenther Deschner */
483
484	asprintf(&ads->auth.user_name, "%s$", global_myname() );
485	}
486
487	if (!ads->auth.realm) {
488	ads->auth.realm = SMB_STRDUP(ads->config.realm);
489	}
490
491	if (!ads->auth.kdc_server) {
492	print_sockaddr(addr, sizeof(addr), &ads->ldap.ss);
493	ads->auth.kdc_server = SMB_STRDUP(addr);
494	}
495
496	#if KRB5_DNS_HACK
497	/* this is a really nasty hack to avoid ADS DNS problems. It needs a patch
498	to MIT kerberos to work (tridge) */
499	{
500	char *env;
501	asprintf(&env, "KRB5_KDC_ADDRESS_%s", ads->config.realm);
502	setenv(env, ads->auth.kdc_server, 1);
503	free(env);
504	}
505	#endif
506
507	/* If the caller() requested no LDAP bind, then we are done */
508
509	if (ads->auth.flags & ADS_AUTH_NO_BIND) {
510	status = ADS_SUCCESS;
511	goto out;
512	}
513
514	ads->ldap.mem_ctx = talloc_init("ads LDAP connection memory");
515	if (!ads->ldap.mem_ctx) {
516	status = ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
517	goto out;
518	}
519
520	/* Otherwise setup the TCP LDAP session */
521
522	ads->ldap.ld = ldap_open_with_timeout(ads->config.ldap_server_name,
523	LDAP_PORT, lp_ldap_timeout());
524	if (ads->ldap.ld == NULL) {
525	status = ADS_ERROR(LDAP_OPERATIONS_ERROR);
526	goto out;
527	}
528	DEBUG(3,("Connected to LDAP server %s\n", ads->config.ldap_server_name));
529
530	/* cache the successful connection for workgroup and realm */
531	if (ads_closest_dc(ads)) {
532	saf_store( ads->server.workgroup, ads->config.ldap_server_name);
533	saf_store( ads->server.realm, ads->config.ldap_server_name);
534	}
535
536	ldap_set_option(ads->ldap.ld, LDAP_OPT_PROTOCOL_VERSION, &version);
537
538	status = ADS_ERROR(smb_ldap_start_tls(ads->ldap.ld, version));
539	if (!ADS_ERR_OK(status)) {
540	goto out;
541	}
542
543	/* fill in the current time and offsets */
544
545	status = ads_current_time( ads );
546	if ( !ADS_ERR_OK(status) ) {
547	goto out;
548	}
549
550	/* Now do the bind */
551
552	if (ads->auth.flags & ADS_AUTH_ANON_BIND) {
553	status = ADS_ERROR(ldap_simple_bind_s(ads->ldap.ld, NULL, NULL));
554	goto out;
555	}
556
557	if (ads->auth.flags & ADS_AUTH_SIMPLE_BIND) {
558	status = ADS_ERROR(ldap_simple_bind_s(ads->ldap.ld, ads->auth.user_name, ads->auth.password));
559	goto out;
560	}
561
562	status = ads_sasl_bind(ads);
563
564	out:
565	if (DEBUGLEVEL >= 11) {
566	char *s = NDR_PRINT_STRUCT_STRING(talloc_tos(), ads_struct, ads);
567	DEBUG(11,("ads_connect: leaving with: %s\n",
568	ads_errstr(status)));
569	DEBUGADD(11,("%s\n", s));
570	TALLOC_FREE(s);
571	}
572
573	return status;
574	}
575
576	/**
577	* Disconnect the LDAP server
578	* @param ads Pointer to an existing ADS_STRUCT
579	**/
580	void ads_disconnect(ADS_STRUCT *ads)
581	{
582	if (ads->ldap.ld) {
583	ldap_unbind(ads->ldap.ld);
584	ads->ldap.ld = NULL;
585	}
586	if (ads->ldap.wrap_ops && ads->ldap.wrap_ops->disconnect) {
587	ads->ldap.wrap_ops->disconnect(ads);
588	}
589	if (ads->ldap.mem_ctx) {
590	talloc_free(ads->ldap.mem_ctx);
591	}
592	ZERO_STRUCT(ads->ldap);
593	}
594
595	/*
596	Duplicate a struct berval into talloc'ed memory
597	*/
598	static struct berval dup_berval(TALLOC_CTX ctx, const struct berval *in_val)
599	{
600	struct berval *value;
601
602	if (!in_val) return NULL;
603
604	value = TALLOC_ZERO_P(ctx, struct berval);
605	if (value == NULL)
606	return NULL;
607	if (in_val->bv_len == 0) return value;
608
609	value->bv_len = in_val->bv_len;
610	value->bv_val = (char *)TALLOC_MEMDUP(ctx, in_val->bv_val,
611	in_val->bv_len);
612	return value;
613	}
614
615	/*
616	Make a values list out of an array of (struct berval *)
617	*/
618	static struct berval *ads_dup_values(TALLOC_CTX ctx,
619	const struct berval **in_vals)
620	{
621	struct berval **values;
622	int i;
623
624	if (!in_vals) return NULL;
625	for (i=0; in_vals[i]; i++)
626	; /* count values */
627	values = TALLOC_ZERO_ARRAY(ctx, struct berval *, i+1);
628	if (!values) return NULL;
629
630	for (i=0; in_vals[i]; i++) {
631	values[i] = dup_berval(ctx, in_vals[i]);
632	}
633	return values;
634	}
635
636	/*
637	UTF8-encode a values list out of an array of (char *)
638	*/
639	static char *ads_push_strvals(TALLOC_CTX ctx, const char **in_vals)
640	{
641	char **values;
642	int i;
643
644	if (!in_vals) return NULL;
645	for (i=0; in_vals[i]; i++)
646	; /* count values */
647	values = TALLOC_ZERO_ARRAY(ctx, char *, i+1);
648	if (!values) return NULL;
649
650	for (i=0; in_vals[i]; i++) {
651	if (push_utf8_talloc(ctx, &values[i], in_vals[i]) == (size_t) -1) {
652	TALLOC_FREE(values);
653	return NULL;
654	}
655	}
656	return values;
657	}
658
659	/*
660	Pull a (char *) array out of a UTF8-encoded values list
661	*/
662	static char *ads_pull_strvals(TALLOC_CTX ctx, const char **in_vals)
663	{
664	char **values;
665	int i;
666
667	if (!in_vals) return NULL;
668	for (i=0; in_vals[i]; i++)
669	; /* count values */
670	values = TALLOC_ZERO_ARRAY(ctx, char *, i+1);
671	if (!values) return NULL;
672
673	for (i=0; in_vals[i]; i++) {
674	pull_utf8_talloc(ctx, &values[i], in_vals[i]);
675	}
676	return values;
677	}
678
679	/**
680	* Do a search with paged results. cookie must be null on the first
681	* call, and then returned on each subsequent call. It will be null
682	* again when the entire search is complete
683	* @param ads connection to ads server
684	* @param bind_path Base dn for the search
685	* @param scope Scope of search (LDAP_SCOPE_BASE \| LDAP_SCOPE_ONE \| LDAP_SCOPE_SUBTREE)
686	* @param expr Search expression - specified in local charset
687	* @param attrs Attributes to retrieve - specified in utf8 or ascii
688	* @param res ** which will contain results - free res* with ads_msgfree()
689	* @param count Number of entries retrieved on this page
690	* @param cookie The paged results cookie to be returned on subsequent calls
691	* @return status of search
692	**/
693	static ADS_STATUS ads_do_paged_search_args(ADS_STRUCT *ads,
694	const char *bind_path,
695	int scope, const char *expr,
696	const char *attrs, void args,
697	LDAPMessage **res,
698	int count, struct berval *cookie)
699	{
700	int rc, i, version;
701	char utf8_expr, utf8_path, **search_attrs;
702	LDAPControl PagedResults, NoReferrals, ExternalCtrl, controls[4], *rcontrols;
703	BerElement *cookie_be = NULL;
704	struct berval *cookie_bv= NULL;
705	BerElement *ext_be = NULL;
706	struct berval *ext_bv= NULL;
707
708	TALLOC_CTX *ctx;
709	ads_control external_control = (ads_control ) args;
710
711	*res = NULL;
712
713	if (!(ctx = talloc_init("ads_do_paged_search_args")))
714	return ADS_ERROR(LDAP_NO_MEMORY);
715
716	/* 0 means the conversion worked but the result was empty
717	so we only fail if it's -1. In any case, it always
718	at least nulls out the dest */
719	if ((push_utf8_talloc(ctx, &utf8_expr, expr) == (size_t)-1) \|\|
720	(push_utf8_talloc(ctx, &utf8_path, bind_path) == (size_t)-1)) {
721	rc = LDAP_NO_MEMORY;
722	goto done;
723	}
724
725	if (!attrs \|\| !(*attrs))
726	search_attrs = NULL;
727	else {
728	/* This would be the utf8-encoded version...*/
729	/* if (!(search_attrs = ads_push_strvals(ctx, attrs))) */
730	if (!(str_list_copy(talloc_tos(), &search_attrs, attrs))) {
731	rc = LDAP_NO_MEMORY;
732	goto done;
733	}
734	}
735
736	/* Paged results only available on ldap v3 or later */
737	ldap_get_option(ads->ldap.ld, LDAP_OPT_PROTOCOL_VERSION, &version);
738	if (version < LDAP_VERSION3) {
739	rc = LDAP_NOT_SUPPORTED;
740	goto done;
741	}
742
743	cookie_be = ber_alloc_t(LBER_USE_DER);
744	if (*cookie) {
745	ber_printf(cookie_be, "{iO}", (ber_int_t) 1000, *cookie);
746	ber_bvfree(cookie); / don't need it from last time */
747	*cookie = NULL;
748	} else {
749	ber_printf(cookie_be, "{io}", (ber_int_t) 1000, "", 0);
750	}
751	ber_flatten(cookie_be, &cookie_bv);
752	PagedResults.ldctl_oid = CONST_DISCARD(char *, ADS_PAGE_CTL_OID);
753	PagedResults.ldctl_iscritical = (char) 1;
754	PagedResults.ldctl_value.bv_len = cookie_bv->bv_len;
755	PagedResults.ldctl_value.bv_val = cookie_bv->bv_val;
756
757	NoReferrals.ldctl_oid = CONST_DISCARD(char *, ADS_NO_REFERRALS_OID);
758	NoReferrals.ldctl_iscritical = (char) 0;
759	NoReferrals.ldctl_value.bv_len = 0;
760	NoReferrals.ldctl_value.bv_val = CONST_DISCARD(char *, "");
761
762	if (external_control &&
763	(strequal(external_control->control, ADS_EXTENDED_DN_OID) \|\|
764	strequal(external_control->control, ADS_SD_FLAGS_OID))) {
765
766	ExternalCtrl.ldctl_oid = CONST_DISCARD(char *, external_control->control);
767	ExternalCtrl.ldctl_iscritical = (char) external_control->critical;
768
769	/* win2k does not accept a ldctl_value beeing passed in */
770
771	if (external_control->val != 0) {
772
773	if ((ext_be = ber_alloc_t(LBER_USE_DER)) == NULL ) {
774	rc = LDAP_NO_MEMORY;
775	goto done;
776	}
777
778	if ((ber_printf(ext_be, "{i}", (ber_int_t) external_control->val)) == -1) {
779	rc = LDAP_NO_MEMORY;
780	goto done;
781	}
782	if ((ber_flatten(ext_be, &ext_bv)) == -1) {
783	rc = LDAP_NO_MEMORY;
784	goto done;
785	}
786
787	ExternalCtrl.ldctl_value.bv_len = ext_bv->bv_len;
788	ExternalCtrl.ldctl_value.bv_val = ext_bv->bv_val;
789
790	} else {
791	ExternalCtrl.ldctl_value.bv_len = 0;
792	ExternalCtrl.ldctl_value.bv_val = NULL;
793	}
794
795	controls[0] = &NoReferrals;
796	controls[1] = &PagedResults;
797	controls[2] = &ExternalCtrl;
798	controls[3] = NULL;
799
800	} else {
801	controls[0] = &NoReferrals;
802	controls[1] = &PagedResults;
803	controls[2] = NULL;
804	}
805
806	/* we need to disable referrals as the openldap libs don't
807	handle them and paged results at the same time. Using them
808	together results in the result record containing the server
809	page control being removed from the result list (tridge/jmcd)
810
811	leaving this in despite the control that says don't generate
812	referrals, in case the server doesn't support it (jmcd)
813	*/
814	ldap_set_option(ads->ldap.ld, LDAP_OPT_REFERRALS, LDAP_OPT_OFF);
815
816	rc = ldap_search_with_timeout(ads->ldap.ld, utf8_path, scope, utf8_expr,
817	search_attrs, 0, controls,
818	NULL, LDAP_NO_LIMIT,
819	(LDAPMessage **)res);
820
821	ber_free(cookie_be, 1);
822	ber_bvfree(cookie_bv);
823
824	if (rc) {
825	DEBUG(3,("ads_do_paged_search_args: ldap_search_with_timeout(%s) -> %s\n", expr,
826	ldap_err2string(rc)));
827	goto done;
828	}
829
830	rc = ldap_parse_result(ads->ldap.ld, *res, NULL, NULL, NULL,
831	NULL, &rcontrols, 0);
832
833	if (!rcontrols) {
834	goto done;
835	}
836
837	for (i=0; rcontrols[i]; i++) {
838	if (strcmp(ADS_PAGE_CTL_OID, rcontrols[i]->ldctl_oid) == 0) {
839	cookie_be = ber_init(&rcontrols[i]->ldctl_value);
840	ber_scanf(cookie_be,"{iO}", (ber_int_t *) count,
841	&cookie_bv);
842	/* the berval is the cookie, but must be freed when
843	it is all done */
844	if (cookie_bv->bv_len) /* still more to do */
845	*cookie=ber_bvdup(cookie_bv);
846	else
847	*cookie=NULL;
848	ber_bvfree(cookie_bv);
849	ber_free(cookie_be, 1);
850	break;
851	}
852	}
853	ldap_controls_free(rcontrols);
854
855	done:
856	talloc_destroy(ctx);
857
858	if (ext_be) {
859	ber_free(ext_be, 1);
860	}
861
862	if (ext_bv) {
863	ber_bvfree(ext_bv);
864	}
865
866	/* if/when we decide to utf8-encode attrs, take out this next line */
867	TALLOC_FREE(search_attrs);
868
869	return ADS_ERROR(rc);
870	}
871
872	static ADS_STATUS ads_do_paged_search(ADS_STRUCT ads, const char bind_path,
873	int scope, const char *expr,
874	const char attrs, LDAPMessage res,
875	int count, struct berval *cookie)
876	{
877	return ads_do_paged_search_args(ads, bind_path, scope, expr, attrs, NULL, res, count, cookie);
878	}
879
880
881	/**
882	* Get all results for a search. This uses ads_do_paged_search() to return
883	* all entries in a large search.
884	* @param ads connection to ads server
885	* @param bind_path Base dn for the search
886	* @param scope Scope of search (LDAP_SCOPE_BASE \| LDAP_SCOPE_ONE \| LDAP_SCOPE_SUBTREE)
887	* @param expr Search expression
888	* @param attrs Attributes to retrieve
889	* @param res ** which will contain results - free res* with ads_msgfree()
890	* @return status of search
891	**/
892	ADS_STATUS ads_do_search_all_args(ADS_STRUCT ads, const char bind_path,
893	int scope, const char *expr,
894	const char *attrs, void args,
895	LDAPMessage **res)
896	{
897	struct berval *cookie = NULL;
898	int count = 0;
899	ADS_STATUS status;
900
901	*res = NULL;
902	status = ads_do_paged_search_args(ads, bind_path, scope, expr, attrs, args, res,
903	&count, &cookie);
904
905	if (!ADS_ERR_OK(status))
906	return status;
907
908	#ifdef HAVE_LDAP_ADD_RESULT_ENTRY
909	while (cookie) {
910	LDAPMessage *res2 = NULL;
911	ADS_STATUS status2;
912	LDAPMessage msg, next;
913
914	status2 = ads_do_paged_search_args(ads, bind_path, scope, expr,
915	attrs, args, &res2, &count, &cookie);
916
917	if (!ADS_ERR_OK(status2)) break;
918
919	/* this relies on the way that ldap_add_result_entry() works internally. I hope
920	that this works on all ldap libs, but I have only tested with openldap */
921	for (msg = ads_first_message(ads, res2); msg; msg = next) {
922	next = ads_next_message(ads, msg);
923	ldap_add_result_entry((LDAPMessage **)res, msg);
924	}
925	/* note that we do not free res2, as the memory is now
926	part of the main returned list */
927	}
928	#else
929	DEBUG(0, ("no ldap_add_result_entry() support in LDAP libs!\n"));
930	status = ADS_ERROR_NT(NT_STATUS_UNSUCCESSFUL);
931	#endif
932
933	return status;
934	}
935
936	ADS_STATUS ads_do_search_all(ADS_STRUCT ads, const char bind_path,
937	int scope, const char *expr,
938	const char attrs, LDAPMessage res)
939	{
940	return ads_do_search_all_args(ads, bind_path, scope, expr, attrs, NULL, res);
941	}
942
943	ADS_STATUS ads_do_search_all_sd_flags(ADS_STRUCT ads, const char bind_path,
944	int scope, const char *expr,
945	const char **attrs, uint32 sd_flags,
946	LDAPMessage **res)
947	{
948	ads_control args;
949
950	args.control = ADS_SD_FLAGS_OID;
951	args.val = sd_flags;
952	args.critical = True;
953
954	return ads_do_search_all_args(ads, bind_path, scope, expr, attrs, &args, res);
955	}
956
957
958	/**
959	* Run a function on all results for a search. Uses ads_do_paged_search() and
960	* runs the function as each page is returned, using ads_process_results()
961	* @param ads connection to ads server
962	* @param bind_path Base dn for the search
963	* @param scope Scope of search (LDAP_SCOPE_BASE \| LDAP_SCOPE_ONE \| LDAP_SCOPE_SUBTREE)
964	* @param expr Search expression - specified in local charset
965	* @param attrs Attributes to retrieve - specified in UTF-8 or ascii
966	* @param fn Function which takes attr name, values list, and data_area
967	* @param data_area Pointer which is passed to function on each call
968	* @return status of search
969	**/
970	ADS_STATUS ads_do_search_all_fn(ADS_STRUCT ads, const char bind_path,
971	int scope, const char expr, const char *attrs,
972	bool (fn)(ADS_STRUCT , char , void , void ),
973	void *data_area)
974	{
975	struct berval *cookie = NULL;
976	int count = 0;
977	ADS_STATUS status;
978	LDAPMessage *res;
979
980	status = ads_do_paged_search(ads, bind_path, scope, expr, attrs, &res,
981	&count, &cookie);
982
983	if (!ADS_ERR_OK(status)) return status;
984
985	ads_process_results(ads, res, fn, data_area);
986	ads_msgfree(ads, res);
987
988	while (cookie) {
989	status = ads_do_paged_search(ads, bind_path, scope, expr, attrs,
990	&res, &count, &cookie);
991
992	if (!ADS_ERR_OK(status)) break;
993
994	ads_process_results(ads, res, fn, data_area);
995	ads_msgfree(ads, res);
996	}
997
998	return status;
999	}
1000
1001	/**
1002	* Do a search with a timeout.
1003	* @param ads connection to ads server
1004	* @param bind_path Base dn for the search
1005	* @param scope Scope of search (LDAP_SCOPE_BASE \| LDAP_SCOPE_ONE \| LDAP_SCOPE_SUBTREE)
1006	* @param expr Search expression
1007	* @param attrs Attributes to retrieve
1008	* @param res ** which will contain results - free res* with ads_msgfree()
1009	* @return status of search
1010	**/
1011	ADS_STATUS ads_do_search(ADS_STRUCT ads, const char bind_path, int scope,
1012	const char *expr,
1013	const char attrs, LDAPMessage res)
1014	{
1015	int rc;
1016	char utf8_expr, utf8_path, **search_attrs = NULL;
1017	TALLOC_CTX *ctx;
1018
1019	*res = NULL;
1020	if (!(ctx = talloc_init("ads_do_search"))) {
1021	DEBUG(1,("ads_do_search: talloc_init() failed!"));
1022	return ADS_ERROR(LDAP_NO_MEMORY);
1023	}
1024
1025	/* 0 means the conversion worked but the result was empty
1026	so we only fail if it's negative. In any case, it always
1027	at least nulls out the dest */
1028	if ((push_utf8_talloc(ctx, &utf8_expr, expr) == (size_t)-1) \|\|
1029	(push_utf8_talloc(ctx, &utf8_path, bind_path) == (size_t)-1)) {
1030	DEBUG(1,("ads_do_search: push_utf8_talloc() failed!"));
1031	rc = LDAP_NO_MEMORY;
1032	goto done;
1033	}
1034
1035	if (!attrs \|\| !(*attrs))
1036	search_attrs = NULL;
1037	else {
1038	/* This would be the utf8-encoded version...*/
1039	/* if (!(search_attrs = ads_push_strvals(ctx, attrs))) */
1040	if (!(str_list_copy(talloc_tos(), &search_attrs, attrs)))
1041	{
1042	DEBUG(1,("ads_do_search: str_list_copy() failed!"));
1043	rc = LDAP_NO_MEMORY;
1044	goto done;
1045	}
1046	}
1047
1048	/* see the note in ads_do_paged_search - we must disable referrals */
1049	ldap_set_option(ads->ldap.ld, LDAP_OPT_REFERRALS, LDAP_OPT_OFF);
1050
1051	rc = ldap_search_with_timeout(ads->ldap.ld, utf8_path, scope, utf8_expr,
1052	search_attrs, 0, NULL, NULL,
1053	LDAP_NO_LIMIT,
1054	(LDAPMessage **)res);
1055
1056	if (rc == LDAP_SIZELIMIT_EXCEEDED) {
1057	DEBUG(3,("Warning! sizelimit exceeded in ldap. Truncating.\n"));
1058	rc = 0;
1059	}
1060
1061	done:
1062	talloc_destroy(ctx);
1063	/* if/when we decide to utf8-encode attrs, take out this next line */
1064	TALLOC_FREE(search_attrs);
1065	return ADS_ERROR(rc);
1066	}
1067	/**
1068	* Do a general ADS search
1069	* @param ads connection to ads server
1070	* @param res ** which will contain results - free res* with ads_msgfree()
1071	* @param expr Search expression
1072	* @param attrs Attributes to retrieve
1073	* @return status of search
1074	**/
1075	ADS_STATUS ads_search(ADS_STRUCT ads, LDAPMessage *res,
1076	const char expr, const char *attrs)
1077	{
1078	return ads_do_search(ads, ads->config.bind_path, LDAP_SCOPE_SUBTREE,
1079	expr, attrs, res);
1080	}
1081
1082	/**
1083	* Do a search on a specific DistinguishedName
1084	* @param ads connection to ads server
1085	* @param res ** which will contain results - free res* with ads_msgfree()
1086	* @param dn DistinguishName to search
1087	* @param attrs Attributes to retrieve
1088	* @return status of search
1089	**/
1090	ADS_STATUS ads_search_dn(ADS_STRUCT ads, LDAPMessage *res,
1091	const char dn, const char *attrs)
1092	{
1093	return ads_do_search(ads, dn, LDAP_SCOPE_BASE, "(objectclass=*)",
1094	attrs, res);
1095	}
1096
1097	/**
1098	* Free up memory from a ads_search
1099	* @param ads connection to ads server
1100	* @param msg Search results to free
1101	**/
1102	void ads_msgfree(ADS_STRUCT ads, LDAPMessage msg)
1103	{
1104	if (!msg) return;
1105	ldap_msgfree(msg);
1106	}
1107
1108	/**
1109	* Free up memory from various ads requests
1110	* @param ads connection to ads server
1111	* @param mem Area to free
1112	**/
1113	void ads_memfree(ADS_STRUCT ads, void mem)
1114	{
1115	SAFE_FREE(mem);
1116	}
1117
1118	/**
1119	* Get a dn from search results
1120	* @param ads connection to ads server
1121	* @param msg Search result
1122	* @return dn string
1123	**/
1124	char ads_get_dn(ADS_STRUCT ads, LDAPMessage *msg)
1125	{
1126	char utf8_dn, unix_dn;
1127
1128	utf8_dn = ldap_get_dn(ads->ldap.ld, msg);
1129
1130	if (!utf8_dn) {
1131	DEBUG (5, ("ads_get_dn: ldap_get_dn failed\n"));
1132	return NULL;
1133	}
1134
1135	if (pull_utf8_allocate(&unix_dn, utf8_dn) == (size_t)-1) {
1136	DEBUG(0,("ads_get_dn: string conversion failure utf8 [%s]\n",
1137	utf8_dn ));
1138	return NULL;
1139	}
1140	ldap_memfree(utf8_dn);
1141	return unix_dn;
1142	}
1143
1144	/**
1145	* Get the parent from a dn
1146	* @param dn the dn to return the parent from
1147	* @return parent dn string
1148	**/
1149	char ads_parent_dn(const char dn)
1150	{
1151	char *p;
1152
1153	if (dn == NULL) {
1154	return NULL;
1155	}
1156
1157	p = strchr(dn, ',');
1158
1159	if (p == NULL) {
1160	return NULL;
1161	}
1162
1163	return p+1;
1164	}
1165
1166	/**
1167	* Find a machine account given a hostname
1168	* @param ads connection to ads server
1169	* @param res ** which will contain results - free res* with ads_msgfree()
1170	* @param host Hostname to search for
1171	* @return status of search
1172	**/
1173	ADS_STATUS ads_find_machine_acct(ADS_STRUCT ads, LDAPMessage *res,
1174	const char *machine)
1175	{
1176	ADS_STATUS status;
1177	char *expr;
1178	const char attrs[] = {"", "nTSecurityDescriptor", NULL};
1179
1180	*res = NULL;
1181
1182	/* the easiest way to find a machine account anywhere in the tree
1183	is to look for hostname$ */
1184	if (asprintf(&expr, "(samAccountName=%s$)", machine) == -1) {
1185	DEBUG(1, ("asprintf failed!\n"));
1186	return ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
1187	}
1188
1189	status = ads_search(ads, res, expr, attrs);
1190	SAFE_FREE(expr);
1191	return status;
1192	}
1193
1194	/**
1195	* Initialize a list of mods to be used in a modify request
1196	* @param ctx An initialized TALLOC_CTX
1197	* @return allocated ADS_MODLIST
1198	**/
1199	ADS_MODLIST ads_init_mods(TALLOC_CTX *ctx)
1200	{
1201	#define ADS_MODLIST_ALLOC_SIZE 10
1202	LDAPMod **mods;
1203
1204	if ((mods = TALLOC_ZERO_ARRAY(ctx, LDAPMod *, ADS_MODLIST_ALLOC_SIZE + 1)))
1205	/* -1 is safety to make sure we don't go over the end.
1206	need to reset it to NULL before doing ldap modify */
1207	mods[ADS_MODLIST_ALLOC_SIZE] = (LDAPMod *) -1;
1208
1209	return (ADS_MODLIST)mods;
1210	}
1211
1212
1213	/*
1214	add an attribute to the list, with values list already constructed
1215	*/
1216	static ADS_STATUS ads_modlist_add(TALLOC_CTX ctx, ADS_MODLIST mods,
1217	int mod_op, const char *name,
1218	const void *_invals)
1219	{
1220	const void invals = (const void )_invals;
1221	int curmod;
1222	LDAPMod modlist = (LDAPMod ) *mods;
1223	struct berval **ber_values = NULL;
1224	char **char_values = NULL;
1225
1226	if (!invals) {
1227	mod_op = LDAP_MOD_DELETE;
1228	} else {
1229	if (mod_op & LDAP_MOD_BVALUES)
1230	ber_values = ads_dup_values(ctx,
1231	(const struct berval **)invals);
1232	else
1233	char_values = ads_push_strvals(ctx,
1234	(const char **) invals);
1235	}
1236
1237	/* find the first empty slot */
1238	for (curmod=0; modlist[curmod] && modlist[curmod] != (LDAPMod *) -1;
1239	curmod++);
1240	if (modlist[curmod] == (LDAPMod *) -1) {
1241	if (!(modlist = TALLOC_REALLOC_ARRAY(ctx, modlist, LDAPMod *,
1242	curmod+ADS_MODLIST_ALLOC_SIZE+1)))
1243	return ADS_ERROR(LDAP_NO_MEMORY);
1244	memset(&modlist[curmod], 0,
1245	ADS_MODLIST_ALLOC_SIZEsizeof(LDAPMod ));
1246	modlist[curmod+ADS_MODLIST_ALLOC_SIZE] = (LDAPMod *) -1;
1247	*mods = (ADS_MODLIST)modlist;
1248	}
1249
1250	if (!(modlist[curmod] = TALLOC_ZERO_P(ctx, LDAPMod)))
1251	return ADS_ERROR(LDAP_NO_MEMORY);
1252	modlist[curmod]->mod_type = talloc_strdup(ctx, name);
1253	if (mod_op & LDAP_MOD_BVALUES) {
1254	modlist[curmod]->mod_bvalues = ber_values;
1255	} else if (mod_op & LDAP_MOD_DELETE) {
1256	modlist[curmod]->mod_values = NULL;
1257	} else {
1258	modlist[curmod]->mod_values = char_values;
1259	}
1260
1261	modlist[curmod]->mod_op = mod_op;
1262	return ADS_ERROR(LDAP_SUCCESS);
1263	}
1264
1265	/**
1266	* Add a single string value to a mod list
1267	* @param ctx An initialized TALLOC_CTX
1268	* @param mods An initialized ADS_MODLIST
1269	* @param name The attribute name to add
1270	* @param val The value to add - NULL means DELETE
1271	* @return ADS STATUS indicating success of add
1272	**/
1273	ADS_STATUS ads_mod_str(TALLOC_CTX ctx, ADS_MODLIST mods,
1274	const char name, const char val)
1275	{
1276	const char *values[2];
1277
1278	values[0] = val;
1279	values[1] = NULL;
1280
1281	if (!val)
1282	return ads_modlist_add(ctx, mods, LDAP_MOD_DELETE, name, NULL);
1283	return ads_modlist_add(ctx, mods, LDAP_MOD_REPLACE, name, values);
1284	}
1285
1286	/**
1287	* Add an array of string values to a mod list
1288	* @param ctx An initialized TALLOC_CTX
1289	* @param mods An initialized ADS_MODLIST
1290	* @param name The attribute name to add
1291	* @param vals The array of string values to add - NULL means DELETE
1292	* @return ADS STATUS indicating success of add
1293	**/
1294	ADS_STATUS ads_mod_strlist(TALLOC_CTX ctx, ADS_MODLIST mods,
1295	const char name, const char *vals)
1296	{
1297	if (!vals)
1298	return ads_modlist_add(ctx, mods, LDAP_MOD_DELETE, name, NULL);
1299	return ads_modlist_add(ctx, mods, LDAP_MOD_REPLACE,
1300	name, (const void **) vals);
1301	}
1302
1303	#if 0
1304	/**
1305	* Add a single ber-encoded value to a mod list
1306	* @param ctx An initialized TALLOC_CTX
1307	* @param mods An initialized ADS_MODLIST
1308	* @param name The attribute name to add
1309	* @param val The value to add - NULL means DELETE
1310	* @return ADS STATUS indicating success of add
1311	**/
1312	static ADS_STATUS ads_mod_ber(TALLOC_CTX ctx, ADS_MODLIST mods,
1313	const char name, const struct berval val)
1314	{
1315	const struct berval *values[2];
1316
1317	values[0] = val;
1318	values[1] = NULL;
1319	if (!val)
1320	return ads_modlist_add(ctx, mods, LDAP_MOD_DELETE, name, NULL);
1321	return ads_modlist_add(ctx, mods, LDAP_MOD_REPLACE\|LDAP_MOD_BVALUES,
1322	name, (const void **) values);
1323	}
1324	#endif
1325
1326	/**
1327	* Perform an ldap modify
1328	* @param ads connection to ads server
1329	* @param mod_dn DistinguishedName to modify
1330	* @param mods list of modifications to perform
1331	* @return status of modify
1332	**/
1333	ADS_STATUS ads_gen_mod(ADS_STRUCT ads, const char mod_dn, ADS_MODLIST mods)
1334	{
1335	int ret,i;
1336	char *utf8_dn = NULL;
1337	/*
1338	this control is needed to modify that contains a currently
1339	non-existent attribute (but allowable for the object) to run
1340	*/
1341	LDAPControl PermitModify = {
1342	CONST_DISCARD(char *, ADS_PERMIT_MODIFY_OID),
1343	{0, NULL},
1344	(char) 1};
1345	LDAPControl *controls[2];
1346
1347	controls[0] = &PermitModify;
1348	controls[1] = NULL;
1349
1350	if (push_utf8_allocate(&utf8_dn, mod_dn) == -1) {
1351	return ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
1352	}
1353
1354	/* find the end of the list, marked by NULL or -1 */
1355	for(i=0;(mods[i]!=0)&&(mods[i]!=(LDAPMod *) -1);i++);
1356	/* make sure the end of the list is NULL */
1357	mods[i] = NULL;
1358	ret = ldap_modify_ext_s(ads->ldap.ld, utf8_dn,
1359	(LDAPMod **) mods, controls, NULL);
1360	SAFE_FREE(utf8_dn);
1361	return ADS_ERROR(ret);
1362	}
1363
1364	/**
1365	* Perform an ldap add
1366	* @param ads connection to ads server
1367	* @param new_dn DistinguishedName to add
1368	* @param mods list of attributes and values for DN
1369	* @return status of add
1370	**/
1371	ADS_STATUS ads_gen_add(ADS_STRUCT ads, const char new_dn, ADS_MODLIST mods)
1372	{
1373	int ret, i;
1374	char *utf8_dn = NULL;
1375
1376	if (push_utf8_allocate(&utf8_dn, new_dn) == -1) {
1377	DEBUG(1, ("ads_gen_add: push_utf8_allocate failed!"));
1378	return ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
1379	}
1380
1381	/* find the end of the list, marked by NULL or -1 */
1382	for(i=0;(mods[i]!=0)&&(mods[i]!=(LDAPMod *) -1);i++);
1383	/* make sure the end of the list is NULL */
1384	mods[i] = NULL;
1385
1386	ret = ldap_add_s(ads->ldap.ld, utf8_dn, (LDAPMod**)mods);
1387	SAFE_FREE(utf8_dn);
1388	return ADS_ERROR(ret);
1389	}
1390
1391	/**
1392	* Delete a DistinguishedName
1393	* @param ads connection to ads server
1394	* @param new_dn DistinguishedName to delete
1395	* @return status of delete
1396	**/
1397	ADS_STATUS ads_del_dn(ADS_STRUCT ads, char del_dn)
1398	{
1399	int ret;
1400	char *utf8_dn = NULL;
1401	if (push_utf8_allocate(&utf8_dn, del_dn) == -1) {
1402	DEBUG(1, ("ads_del_dn: push_utf8_allocate failed!"));
1403	return ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
1404	}
1405
1406	ret = ldap_delete_s(ads->ldap.ld, utf8_dn);
1407	SAFE_FREE(utf8_dn);
1408	return ADS_ERROR(ret);
1409	}
1410
1411	/**
1412	* Build an org unit string
1413	* if org unit is Computers or blank then assume a container, otherwise
1414	* assume a / separated list of organisational units.
1415	* jmcd: '\' is now used for escapes so certain chars can be in the ou (e.g. #)
1416	* @param ads connection to ads server
1417	* @param org_unit Organizational unit
1418	* @return org unit string - caller must free
1419	**/
1420	char ads_ou_string(ADS_STRUCT ads, const char *org_unit)
1421	{
1422	char *ret = NULL;
1423
1424	if (!org_unit \|\| !*org_unit) {
1425
1426	ret = ads_default_ou_string(ads, WELL_KNOWN_GUID_COMPUTERS);
1427
1428	/* samba4 might not yet respond to a wellknownobject-query */
1429	return ret ? ret : SMB_STRDUP("cn=Computers");
1430	}
1431
1432	if (strequal(org_unit, "Computers")) {
1433	return SMB_STRDUP("cn=Computers");
1434	}
1435
1436	/* jmcd: removed "\\" from the separation chars, because it is
1437	needed as an escape for chars like '#' which are valid in an
1438	OU name */
1439	return ads_build_path(org_unit, "/", "ou=", 1);
1440	}
1441
1442	/**
1443	* Get a org unit string for a well-known GUID
1444	* @param ads connection to ads server
1445	* @param wknguid Well known GUID
1446	* @return org unit string - caller must free
1447	**/
1448	char ads_default_ou_string(ADS_STRUCT ads, const char *wknguid)
1449	{
1450	ADS_STATUS status;
1451	LDAPMessage *res = NULL;
1452	char base, wkn_dn = NULL, ret = NULL, *wkn_dn_exp = NULL,
1453	**bind_dn_exp = NULL;
1454	const char *attrs[] = {"distinguishedName", NULL};
1455	int new_ln, wkn_ln, bind_ln, i;
1456
1457	if (wknguid == NULL) {
1458	return NULL;
1459	}
1460
1461	if (asprintf(&base, "<WKGUID=%s,%s>", wknguid, ads->config.bind_path ) == -1) {
1462	DEBUG(1, ("asprintf failed!\n"));
1463	return NULL;
1464	}
1465
1466	status = ads_search_dn(ads, &res, base, attrs);
1467	if (!ADS_ERR_OK(status)) {
1468	DEBUG(1,("Failed while searching for: %s\n", base));
1469	goto out;
1470	}
1471
1472	if (ads_count_replies(ads, res) != 1) {
1473	goto out;
1474	}
1475
1476	/* substitute the bind-path from the well-known-guid-search result */
1477	wkn_dn = ads_get_dn(ads, res);
1478	if (!wkn_dn) {
1479	goto out;
1480	}
1481
1482	wkn_dn_exp = ldap_explode_dn(wkn_dn, 0);
1483	if (!wkn_dn_exp) {
1484	goto out;
1485	}
1486
1487	bind_dn_exp = ldap_explode_dn(ads->config.bind_path, 0);
1488	if (!bind_dn_exp) {
1489	goto out;
1490	}
1491
1492	for (wkn_ln=0; wkn_dn_exp[wkn_ln]; wkn_ln++)
1493	;
1494	for (bind_ln=0; bind_dn_exp[bind_ln]; bind_ln++)
1495	;
1496
1497	new_ln = wkn_ln - bind_ln;
1498
1499	ret = SMB_STRDUP(wkn_dn_exp[0]);
1500	if (!ret) {
1501	goto out;
1502	}
1503
1504	for (i=1; i < new_ln; i++) {
1505	char *s = NULL;
1506
1507	if (asprintf(&s, "%s,%s", ret, wkn_dn_exp[i]) == -1) {
1508	SAFE_FREE(ret);
1509	goto out;
1510	}
1511
1512	SAFE_FREE(ret);
1513	ret = SMB_STRDUP(s);
1514	free(s);
1515	if (!ret) {
1516	goto out;
1517	}
1518	}
1519
1520	out:
1521	SAFE_FREE(base);
1522	ads_msgfree(ads, res);
1523	ads_memfree(ads, wkn_dn);
1524	if (wkn_dn_exp) {
1525	ldap_value_free(wkn_dn_exp);
1526	}
1527	if (bind_dn_exp) {
1528	ldap_value_free(bind_dn_exp);
1529	}
1530
1531	return ret;
1532	}
1533
1534	/**
1535	* Adds (appends) an item to an attribute array, rather then
1536	* replacing the whole list
1537	* @param ctx An initialized TALLOC_CTX
1538	* @param mods An initialized ADS_MODLIST
1539	* @param name name of the ldap attribute to append to
1540	* @param vals an array of values to add
1541	* @return status of addition
1542	**/
1543
1544	ADS_STATUS ads_add_strlist(TALLOC_CTX ctx, ADS_MODLIST mods,
1545	const char name, const char *vals)
1546	{
1547	return ads_modlist_add(ctx, mods, LDAP_MOD_ADD, name,
1548	(const void *) vals);
1549	}
1550
1551	/**
1552	* Determines the computer account's current KVNO via an LDAP lookup
1553	* @param ads An initialized ADS_STRUCT
1554	* @param machine_name the NetBIOS name of the computer, which is used to identify the computer account.
1555	* @return the kvno for the computer account, or -1 in case of a failure.
1556	**/
1557
1558	uint32 ads_get_kvno(ADS_STRUCT ads, const char machine_name)
1559	{
1560	LDAPMessage *res = NULL;
1561	uint32 kvno = (uint32)-1; /* -1 indicates a failure */
1562	char *filter;
1563	const char *attrs[] = {"msDS-KeyVersionNumber", NULL};
1564	char *dn_string = NULL;
1565	ADS_STATUS ret = ADS_ERROR(LDAP_SUCCESS);
1566
1567	DEBUG(5,("ads_get_kvno: Searching for host %s\n", machine_name));
1568	if (asprintf(&filter, "(samAccountName=%s$)", machine_name) == -1) {
1569	return kvno;
1570	}
1571	ret = ads_search(ads, &res, filter, attrs);
1572	SAFE_FREE(filter);
1573	if (!ADS_ERR_OK(ret) && ads_count_replies(ads, res)) {
1574	DEBUG(1,("ads_get_kvno: Computer Account For %s not found.\n", machine_name));
1575	ads_msgfree(ads, res);
1576	return kvno;
1577	}
1578
1579	dn_string = ads_get_dn(ads, res);
1580	if (!dn_string) {
1581	DEBUG(0,("ads_get_kvno: out of memory.\n"));
1582	ads_msgfree(ads, res);
1583	return kvno;
1584	}
1585	DEBUG(5,("ads_get_kvno: Using: %s\n", dn_string));
1586	ads_memfree(ads, dn_string);
1587
1588	/* ---------------------------------------------------------
1589	* 0 is returned as a default KVNO from this point on...
1590	* This is done because Windows 2000 does not support key
1591	* version numbers. Chances are that a failure in the next
1592	* step is simply due to Windows 2000 being used for a
1593	* domain controller. */
1594	kvno = 0;
1595
1596	if (!ads_pull_uint32(ads, res, "msDS-KeyVersionNumber", &kvno)) {
1597	DEBUG(3,("ads_get_kvno: Error Determining KVNO!\n"));
1598	DEBUG(3,("ads_get_kvno: Windows 2000 does not support KVNO's, so this may be normal.\n"));
1599	ads_msgfree(ads, res);
1600	return kvno;
1601	}
1602
1603	/* Success */
1604	DEBUG(5,("ads_get_kvno: Looked Up KVNO of: %d\n", kvno));
1605	ads_msgfree(ads, res);
1606	return kvno;
1607	}
1608
1609	/**
1610	* This clears out all registered spn's for a given hostname
1611	* @param ads An initilaized ADS_STRUCT
1612	* @param machine_name the NetBIOS name of the computer.
1613	* @return 0 upon success, non-zero otherwise.
1614	**/
1615
1616	ADS_STATUS ads_clear_service_principal_names(ADS_STRUCT ads, const char machine_name)
1617	{
1618	TALLOC_CTX *ctx;
1619	LDAPMessage *res = NULL;
1620	ADS_MODLIST mods;
1621	const char *servicePrincipalName[1] = {NULL};
1622	ADS_STATUS ret = ADS_ERROR(LDAP_SUCCESS);
1623	char *dn_string = NULL;
1624
1625	ret = ads_find_machine_acct(ads, &res, machine_name);
1626	if (!ADS_ERR_OK(ret) \|\| ads_count_replies(ads, res) != 1) {
1627	DEBUG(5,("ads_clear_service_principal_names: WARNING: Host Account for %s not found... skipping operation.\n", machine_name));
1628	DEBUG(5,("ads_clear_service_principal_names: WARNING: Service Principals for %s have NOT been cleared.\n", machine_name));
1629	ads_msgfree(ads, res);
1630	return ADS_ERROR(LDAP_NO_SUCH_OBJECT);
1631	}
1632
1633	DEBUG(5,("ads_clear_service_principal_names: Host account for %s found\n", machine_name));
1634	ctx = talloc_init("ads_clear_service_principal_names");
1635	if (!ctx) {
1636	ads_msgfree(ads, res);
1637	return ADS_ERROR(LDAP_NO_MEMORY);
1638	}
1639
1640	if (!(mods = ads_init_mods(ctx))) {
1641	talloc_destroy(ctx);
1642	ads_msgfree(ads, res);
1643	return ADS_ERROR(LDAP_NO_MEMORY);
1644	}
1645	ret = ads_mod_strlist(ctx, &mods, "servicePrincipalName", servicePrincipalName);
1646	if (!ADS_ERR_OK(ret)) {
1647	DEBUG(1,("ads_clear_service_principal_names: Error creating strlist.\n"));
1648	ads_msgfree(ads, res);
1649	talloc_destroy(ctx);
1650	return ret;
1651	}
1652	dn_string = ads_get_dn(ads, res);
1653	if (!dn_string) {
1654	talloc_destroy(ctx);
1655	ads_msgfree(ads, res);
1656	return ADS_ERROR(LDAP_NO_MEMORY);
1657	}
1658	ret = ads_gen_mod(ads, dn_string, mods);
1659	ads_memfree(ads,dn_string);
1660	if (!ADS_ERR_OK(ret)) {
1661	DEBUG(1,("ads_clear_service_principal_names: Error: Updating Service Principals for machine %s in LDAP\n",
1662	machine_name));
1663	ads_msgfree(ads, res);
1664	talloc_destroy(ctx);
1665	return ret;
1666	}
1667
1668	ads_msgfree(ads, res);
1669	talloc_destroy(ctx);
1670	return ret;
1671	}
1672
1673	/**
1674	* This adds a service principal name to an existing computer account
1675	* (found by hostname) in AD.
1676	* @param ads An initialized ADS_STRUCT
1677	* @param machine_name the NetBIOS name of the computer, which is used to identify the computer account.
1678	* @param my_fqdn The fully qualified DNS name of the machine
1679	* @param spn A string of the service principal to add, i.e. 'host'
1680	* @return 0 upon sucess, or non-zero if a failure occurs
1681	**/
1682
1683	ADS_STATUS ads_add_service_principal_name(ADS_STRUCT ads, const char machine_name,
1684	const char my_fqdn, const char spn)
1685	{
1686	ADS_STATUS ret;
1687	TALLOC_CTX *ctx;
1688	LDAPMessage *res = NULL;
1689	char psp1, psp2;
1690	ADS_MODLIST mods;
1691	char *dn_string = NULL;
1692	const char *servicePrincipalName[3] = {NULL, NULL, NULL};
1693
1694	ret = ads_find_machine_acct(ads, &res, machine_name);
1695	if (!ADS_ERR_OK(ret) \|\| ads_count_replies(ads, res) != 1) {
1696	DEBUG(1,("ads_add_service_principal_name: WARNING: Host Account for %s not found... skipping operation.\n",
1697	machine_name));
1698	DEBUG(1,("ads_add_service_principal_name: WARNING: Service Principal '%s/%s@%s' has NOT been added.\n",
1699	spn, machine_name, ads->config.realm));
1700	ads_msgfree(ads, res);
1701	return ADS_ERROR(LDAP_NO_SUCH_OBJECT);
1702	}
1703
1704	DEBUG(1,("ads_add_service_principal_name: Host account for %s found\n", machine_name));
1705	if (!(ctx = talloc_init("ads_add_service_principal_name"))) {
1706	ads_msgfree(ads, res);
1707	return ADS_ERROR(LDAP_NO_MEMORY);
1708	}
1709
1710	/* add short name spn */
1711
1712	if ( (psp1 = talloc_asprintf(ctx, "%s/%s", spn, machine_name)) == NULL ) {
1713	talloc_destroy(ctx);
1714	ads_msgfree(ads, res);
1715	return ADS_ERROR(LDAP_NO_MEMORY);
1716	}
1717	strupper_m(psp1);
1718	strlower_m(&psp1[strlen(spn)]);
1719	servicePrincipalName[0] = psp1;
1720
1721	DEBUG(5,("ads_add_service_principal_name: INFO: Adding %s to host %s\n",
1722	psp1, machine_name));
1723
1724
1725	/* add fully qualified spn */
1726
1727	if ( (psp2 = talloc_asprintf(ctx, "%s/%s", spn, my_fqdn)) == NULL ) {
1728	ret = ADS_ERROR(LDAP_NO_MEMORY);
1729	goto out;
1730	}
1731	strupper_m(psp2);
1732	strlower_m(&psp2[strlen(spn)]);
1733	servicePrincipalName[1] = psp2;
1734
1735	DEBUG(5,("ads_add_service_principal_name: INFO: Adding %s to host %s\n",
1736	psp2, machine_name));
1737
1738	if ( (mods = ads_init_mods(ctx)) == NULL ) {
1739	ret = ADS_ERROR(LDAP_NO_MEMORY);
1740	goto out;
1741	}
1742
1743	ret = ads_add_strlist(ctx, &mods, "servicePrincipalName", servicePrincipalName);
1744	if (!ADS_ERR_OK(ret)) {
1745	DEBUG(1,("ads_add_service_principal_name: Error: Updating Service Principals in LDAP\n"));
1746	goto out;
1747	}
1748
1749	if ( (dn_string = ads_get_dn(ads, res)) == NULL ) {
1750	ret = ADS_ERROR(LDAP_NO_MEMORY);
1751	goto out;
1752	}
1753
1754	ret = ads_gen_mod(ads, dn_string, mods);
1755	ads_memfree(ads,dn_string);
1756	if (!ADS_ERR_OK(ret)) {
1757	DEBUG(1,("ads_add_service_principal_name: Error: Updating Service Principals in LDAP\n"));
1758	goto out;
1759	}
1760
1761	out:
1762	TALLOC_FREE( ctx );
1763	ads_msgfree(ads, res);
1764	return ret;
1765	}
1766
1767	/**
1768	* adds a machine account to the ADS server
1769	* @param ads An intialized ADS_STRUCT
1770	* @param machine_name - the NetBIOS machine name of this account.
1771	* @param account_type A number indicating the type of account to create
1772	* @param org_unit The LDAP path in which to place this account
1773	* @return 0 upon success, or non-zero otherwise
1774	**/
1775
1776	ADS_STATUS ads_create_machine_acct(ADS_STRUCT ads, const char machine_name,
1777	const char *org_unit)
1778	{
1779	ADS_STATUS ret;
1780	char samAccountName, controlstr;
1781	TALLOC_CTX *ctx;
1782	ADS_MODLIST mods;
1783	char *machine_escaped = NULL;
1784	char *new_dn;
1785	const char *objectClass[] = {"top", "person", "organizationalPerson",
1786	"user", "computer", NULL};
1787	LDAPMessage *res = NULL;
1788	uint32 acct_control = ( UF_WORKSTATION_TRUST_ACCOUNT \|\
1789	UF_DONT_EXPIRE_PASSWD \|\
1790	UF_ACCOUNTDISABLE );
1791
1792	if (!(ctx = talloc_init("ads_add_machine_acct")))
1793	return ADS_ERROR(LDAP_NO_MEMORY);
1794
1795	ret = ADS_ERROR(LDAP_NO_MEMORY);
1796
1797	machine_escaped = escape_rdn_val_string_alloc(machine_name);
1798	if (!machine_escaped) {
1799	goto done;
1800	}
1801
1802	new_dn = talloc_asprintf(ctx, "cn=%s,%s", machine_escaped, org_unit);
1803	samAccountName = talloc_asprintf(ctx, "%s$", machine_name);
1804
1805	if ( !new_dn \|\| !samAccountName ) {
1806	goto done;
1807	}
1808
1809	#ifndef ENCTYPE_ARCFOUR_HMAC
1810	acct_control \|= UF_USE_DES_KEY_ONLY;
1811	#endif
1812
1813	if (!(controlstr = talloc_asprintf(ctx, "%u", acct_control))) {
1814	goto done;
1815	}
1816
1817	if (!(mods = ads_init_mods(ctx))) {
1818	goto done;
1819	}
1820
1821	ads_mod_str(ctx, &mods, "cn", machine_name);
1822	ads_mod_str(ctx, &mods, "sAMAccountName", samAccountName);
1823	ads_mod_strlist(ctx, &mods, "objectClass", objectClass);
1824	ads_mod_str(ctx, &mods, "userAccountControl", controlstr);
1825
1826	ret = ads_gen_add(ads, new_dn, mods);
1827
1828	done:
1829	SAFE_FREE(machine_escaped);
1830	ads_msgfree(ads, res);
1831	talloc_destroy(ctx);
1832
1833	return ret;
1834	}
1835
1836	/**
1837	* move a machine account to another OU on the ADS server
1838	* @param ads - An intialized ADS_STRUCT
1839	* @param machine_name - the NetBIOS machine name of this account.
1840	* @param org_unit - The LDAP path in which to place this account
1841	* @param moved - whether we moved the machine account (optional)
1842	* @return 0 upon success, or non-zero otherwise
1843	**/
1844
1845	ADS_STATUS ads_move_machine_acct(ADS_STRUCT ads, const char machine_name,
1846	const char org_unit, bool moved)
1847	{
1848	ADS_STATUS rc;
1849	int ldap_status;
1850	LDAPMessage *res = NULL;
1851	char *filter = NULL;
1852	char *computer_dn = NULL;
1853	char *parent_dn;
1854	char *computer_rdn = NULL;
1855	bool need_move = False;
1856
1857	if (asprintf(&filter, "(samAccountName=%s$)", machine_name) == -1) {
1858	rc = ADS_ERROR(LDAP_NO_MEMORY);
1859	goto done;
1860	}
1861
1862	/* Find pre-existing machine */
1863	rc = ads_search(ads, &res, filter, NULL);
1864	if (!ADS_ERR_OK(rc)) {
1865	goto done;
1866	}
1867
1868	computer_dn = ads_get_dn(ads, res);
1869	if (!computer_dn) {
1870	rc = ADS_ERROR(LDAP_NO_MEMORY);
1871	goto done;
1872	}
1873
1874	parent_dn = ads_parent_dn(computer_dn);
1875	if (strequal(parent_dn, org_unit)) {
1876	goto done;
1877	}
1878
1879	need_move = True;
1880
1881	if (asprintf(&computer_rdn, "CN=%s", machine_name) == -1) {
1882	rc = ADS_ERROR(LDAP_NO_MEMORY);
1883	goto done;
1884	}
1885
1886	ldap_status = ldap_rename_s(ads->ldap.ld, computer_dn, computer_rdn,
1887	org_unit, 1, NULL, NULL);
1888	rc = ADS_ERROR(ldap_status);
1889
1890	done:
1891	ads_msgfree(ads, res);
1892	SAFE_FREE(filter);
1893	SAFE_FREE(computer_dn);
1894	SAFE_FREE(computer_rdn);
1895
1896	if (!ADS_ERR_OK(rc)) {
1897	need_move = False;
1898	}
1899
1900	if (moved) {
1901	*moved = need_move;
1902	}
1903
1904	return rc;
1905	}
1906
1907	/*
1908	dump a binary result from ldap
1909	*/
1910	static void dump_binary(ADS_STRUCT ads, const char field, struct berval **values)
1911	{
1912	int i, j;
1913	for (i=0; values[i]; i++) {
1914	printf("%s: ", field);
1915	for (j=0; j<values[i]->bv_len; j++) {
1916	printf("%02X", (unsigned char)values[i]->bv_val[j]);
1917	}
1918	printf("\n");
1919	}
1920	}
1921
1922	static void dump_guid(ADS_STRUCT ads, const char field, struct berval **values)
1923	{
1924	int i;
1925	for (i=0; values[i]; i++) {
1926
1927	UUID_FLAT guid;
1928	struct GUID tmp;
1929
1930	memcpy(guid.info, values[i]->bv_val, sizeof(guid.info));
1931	smb_uuid_unpack(guid, &tmp);
1932	printf("%s: %s\n", field, smb_uuid_string(talloc_tos(), tmp));
1933	}
1934	}
1935
1936	/*
1937	dump a sid result from ldap
1938	*/
1939	static void dump_sid(ADS_STRUCT ads, const char field, struct berval **values)
1940	{
1941	int i;
1942	for (i=0; values[i]; i++) {
1943	DOM_SID sid;
1944	fstring tmp;
1945	sid_parse(values[i]->bv_val, values[i]->bv_len, &sid);
1946	printf("%s: %s\n", field, sid_to_fstring(tmp, &sid));
1947	}
1948	}
1949
1950	/*
1951	dump ntSecurityDescriptor
1952	*/
1953	static void dump_sd(ADS_STRUCT ads, const char filed, struct berval **values)
1954	{
1955	TALLOC_CTX *frame = talloc_stackframe();
1956	struct security_descriptor *psd;
1957	NTSTATUS status;
1958
1959	status = unmarshall_sec_desc(talloc_tos(), (uint8 *)values[0]->bv_val,
1960	values[0]->bv_len, &psd);
1961	if (!NT_STATUS_IS_OK(status)) {
1962	DEBUG(0, ("unmarshall_sec_desc failed: %s\n",
1963	nt_errstr(status)));
1964	TALLOC_FREE(frame);
1965	return;
1966	}
1967
1968	if (psd) {
1969	ads_disp_sd(ads, talloc_tos(), psd);
1970	}
1971
1972	TALLOC_FREE(frame);
1973	}
1974
1975	/*
1976	dump a string result from ldap
1977	*/
1978	static void dump_string(const char field, char *values)
1979	{
1980	int i;
1981	for (i=0; values[i]; i++) {
1982	printf("%s: %s\n", field, values[i]);
1983	}
1984	}
1985
1986	/*
1987	dump a field from LDAP on stdout
1988	used for debugging
1989	*/
1990
1991	static bool ads_dump_field(ADS_STRUCT ads, char field, void *values, void data_area)
1992	{
1993	const struct {
1994	const char *name;
1995	bool string;
1996	void (handler)(ADS_STRUCT , const char , struct berval *);
1997	} handlers[] = {
1998	{"objectGUID", False, dump_guid},
1999	{"netbootGUID", False, dump_guid},
2000	{"nTSecurityDescriptor", False, dump_sd},
2001	{"dnsRecord", False, dump_binary},
2002	{"objectSid", False, dump_sid},
2003	{"tokenGroups", False, dump_sid},
2004	{"tokenGroupsNoGCAcceptable", False, dump_sid},
2005	{"tokengroupsGlobalandUniversal", False, dump_sid},
2006	{"mS-DS-CreatorSID", False, dump_sid},
2007	{"msExchMailboxGuid", False, dump_guid},
2008	{NULL, True, NULL}
2009	};
2010	int i;
2011
2012	if (!field) { /* must be end of an entry */
2013	printf("\n");
2014	return False;
2015	}
2016
2017	for (i=0; handlers[i].name; i++) {
2018	if (StrCaseCmp(handlers[i].name, field) == 0) {
2019	if (!values) /* first time, indicate string or not */
2020	return handlers[i].string;
2021	handlers[i].handler(ads, field, (struct berval **) values);
2022	break;
2023	}
2024	}
2025	if (!handlers[i].name) {
2026	if (!values) /* first time, indicate string conversion */
2027	return True;
2028	dump_string(field, (char **)values);
2029	}
2030	return False;
2031	}
2032
2033	/**
2034	* Dump a result from LDAP on stdout
2035	* used for debugging
2036	* @param ads connection to ads server
2037	* @param res Results to dump
2038	**/
2039
2040	void ads_dump(ADS_STRUCT ads, LDAPMessage res)
2041	{
2042	ads_process_results(ads, res, ads_dump_field, NULL);
2043	}
2044
2045	/**
2046	* Walk through results, calling a function for each entry found.
2047	* The function receives a field name, a berval * array of values,
2048	* and a data area passed through from the start. The function is
2049	* called once with null for field and values at the end of each
2050	* entry.
2051	* @param ads connection to ads server
2052	* @param res Results to process
2053	* @param fn Function for processing each result
2054	* @param data_area user-defined area to pass to function
2055	**/
2056	void ads_process_results(ADS_STRUCT ads, LDAPMessage res,
2057	bool (fn)(ADS_STRUCT , char , void , void ),
2058	void *data_area)
2059	{
2060	LDAPMessage *msg;
2061	TALLOC_CTX *ctx;
2062
2063	if (!(ctx = talloc_init("ads_process_results")))
2064	return;
2065
2066	for (msg = ads_first_entry(ads, res); msg;
2067	msg = ads_next_entry(ads, msg)) {
2068	char *utf8_field;
2069	BerElement *b;
2070
2071	for (utf8_field=ldap_first_attribute(ads->ldap.ld,
2072	(LDAPMessage *)msg,&b);
2073	utf8_field;
2074	utf8_field=ldap_next_attribute(ads->ldap.ld,
2075	(LDAPMessage *)msg,b)) {
2076	struct berval **ber_vals;
2077	char str_vals, utf8_vals;
2078	char *field;
2079	bool string;
2080
2081	pull_utf8_talloc(ctx, &field, utf8_field);
2082	string = fn(ads, field, NULL, data_area);
2083
2084	if (string) {
2085	utf8_vals = ldap_get_values(ads->ldap.ld,
2086	(LDAPMessage *)msg, field);
2087	str_vals = ads_pull_strvals(ctx,
2088	(const char **) utf8_vals);
2089	fn(ads, field, (void **) str_vals, data_area);
2090	ldap_value_free(utf8_vals);
2091	} else {
2092	ber_vals = ldap_get_values_len(ads->ldap.ld,
2093	(LDAPMessage *)msg, field);
2094	fn(ads, field, (void **) ber_vals, data_area);
2095
2096	ldap_value_free_len(ber_vals);
2097	}
2098	ldap_memfree(utf8_field);
2099	}
2100	ber_free(b, 0);
2101	talloc_free_children(ctx);
2102	fn(ads, NULL, NULL, data_area); /* completed an entry */
2103
2104	}
2105	talloc_destroy(ctx);
2106	}
2107
2108	/**
2109	* count how many replies are in a LDAPMessage
2110	* @param ads connection to ads server
2111	* @param res Results to count
2112	* @return number of replies
2113	**/
2114	int ads_count_replies(ADS_STRUCT ads, void res)
2115	{
2116	return ldap_count_entries(ads->ldap.ld, (LDAPMessage *)res);
2117	}
2118
2119	/**
2120	* pull the first entry from a ADS result
2121	* @param ads connection to ads server
2122	* @param res Results of search
2123	* @return first entry from result
2124	**/
2125	LDAPMessage ads_first_entry(ADS_STRUCT ads, LDAPMessage *res)
2126	{
2127	return ldap_first_entry(ads->ldap.ld, res);
2128	}
2129
2130	/**
2131	* pull the next entry from a ADS result
2132	* @param ads connection to ads server
2133	* @param res Results of search
2134	* @return next entry from result
2135	**/
2136	LDAPMessage ads_next_entry(ADS_STRUCT ads, LDAPMessage *res)
2137	{
2138	return ldap_next_entry(ads->ldap.ld, res);
2139	}
2140
2141	/**
2142	* pull the first message from a ADS result
2143	* @param ads connection to ads server
2144	* @param res Results of search
2145	* @return first message from result
2146	**/
2147	LDAPMessage ads_first_message(ADS_STRUCT ads, LDAPMessage *res)
2148	{
2149	return ldap_first_message(ads->ldap.ld, res);
2150	}
2151
2152	/**
2153	* pull the next message from a ADS result
2154	* @param ads connection to ads server
2155	* @param res Results of search
2156	* @return next message from result
2157	**/
2158	LDAPMessage ads_next_message(ADS_STRUCT ads, LDAPMessage *res)
2159	{
2160	return ldap_next_message(ads->ldap.ld, res);
2161	}
2162
2163	/**
2164	* pull a single string from a ADS result
2165	* @param ads connection to ads server
2166	* @param mem_ctx TALLOC_CTX to use for allocating result string
2167	* @param msg Results of search
2168	* @param field Attribute to retrieve
2169	* @return Result string in talloc context
2170	**/
2171	char ads_pull_string(ADS_STRUCT ads, TALLOC_CTX mem_ctx, LDAPMessage msg,
2172	const char *field)
2173	{
2174	char **values;
2175	char *ret = NULL;
2176	char *ux_string;
2177	size_t rc;
2178
2179	values = ldap_get_values(ads->ldap.ld, msg, field);
2180	if (!values)
2181	return NULL;
2182
2183	if (values[0]) {
2184	rc = pull_utf8_talloc(mem_ctx, &ux_string,
2185	values[0]);
2186	if (rc != (size_t)-1)
2187	ret = ux_string;
2188
2189	}
2190	ldap_value_free(values);
2191	return ret;
2192	}
2193
2194	/**
2195	* pull an array of strings from a ADS result
2196	* @param ads connection to ads server
2197	* @param mem_ctx TALLOC_CTX to use for allocating result string
2198	* @param msg Results of search
2199	* @param field Attribute to retrieve
2200	* @return Result strings in talloc context
2201	**/
2202	char *ads_pull_strings(ADS_STRUCT ads, TALLOC_CTX *mem_ctx,
2203	LDAPMessage msg, const char field,
2204	size_t *num_values)
2205	{
2206	char **values;
2207	char **ret = NULL;
2208	int i;
2209
2210	values = ldap_get_values(ads->ldap.ld, msg, field);
2211	if (!values)
2212	return NULL;
2213
2214	*num_values = ldap_count_values(values);
2215
2216	ret = TALLOC_ARRAY(mem_ctx, char , num_values + 1);
2217	if (!ret) {
2218	ldap_value_free(values);
2219	return NULL;
2220	}
2221
2222	for (i=0;i<*num_values;i++) {
2223	if (pull_utf8_talloc(mem_ctx, &ret[i], values[i]) == -1) {
2224	ldap_value_free(values);
2225	return NULL;
2226	}
2227	}
2228	ret[i] = NULL;
2229
2230	ldap_value_free(values);
2231	return ret;
2232	}
2233
2234	/**
2235	* pull an array of strings from a ADS result
2236	* (handle large multivalue attributes with range retrieval)
2237	* @param ads connection to ads server
2238	* @param mem_ctx TALLOC_CTX to use for allocating result string
2239	* @param msg Results of search
2240	* @param field Attribute to retrieve
2241	* @param current_strings strings returned by a previous call to this function
2242	* @param next_attribute The next query should ask for this attribute
2243	* @param num_values How many values did we get this time?
2244	* @param more_values Are there more values to get?
2245	* @return Result strings in talloc context
2246	**/
2247	char *ads_pull_strings_range(ADS_STRUCT ads,
2248	TALLOC_CTX *mem_ctx,
2249	LDAPMessage msg, const char field,
2250	char **current_strings,
2251	const char **next_attribute,
2252	size_t *num_strings,
2253	bool *more_strings)
2254	{
2255	char *attr;
2256	char expected_range_attrib, range_attr;
2257	BerElement *ptr = NULL;
2258	char **strings;
2259	char **new_strings;
2260	size_t num_new_strings;
2261	unsigned long int range_start;
2262	unsigned long int range_end;
2263
2264	/* we might have been given the whole lot anyway */
2265	if ((strings = ads_pull_strings(ads, mem_ctx, msg, field, num_strings))) {
2266	*more_strings = False;
2267	return strings;
2268	}
2269
2270	expected_range_attrib = talloc_asprintf(mem_ctx, "%s;Range=", field);
2271
2272	/* look for Range result */
2273	for (attr = ldap_first_attribute(ads->ldap.ld, (LDAPMessage *)msg, &ptr);
2274	attr;
2275	attr = ldap_next_attribute(ads->ldap.ld, (LDAPMessage *)msg, ptr)) {
2276	/* we ignore the fact that this is utf8, as all attributes are ascii... */
2277	if (strnequal(attr, expected_range_attrib, strlen(expected_range_attrib))) {
2278	range_attr = attr;
2279	break;
2280	}
2281	ldap_memfree(attr);
2282	}
2283	if (!attr) {
2284	ber_free(ptr, 0);
2285	/* nothing here - this field is just empty */
2286	*more_strings = False;
2287	return NULL;
2288	}
2289
2290	if (sscanf(&range_attr[strlen(expected_range_attrib)], "%lu-%lu",
2291	&range_start, &range_end) == 2) {
2292	*more_strings = True;
2293	} else {
2294	if (sscanf(&range_attr[strlen(expected_range_attrib)], "%lu-*",
2295	&range_start) == 1) {
2296	*more_strings = False;
2297	} else {
2298	DEBUG(1, ("ads_pull_strings_range: Cannot parse Range attriubte (%s)\n",
2299	range_attr));
2300	ldap_memfree(range_attr);
2301	*more_strings = False;
2302	return NULL;
2303	}
2304	}
2305
2306	if ((*num_strings) != range_start) {
2307	DEBUG(1, ("ads_pull_strings_range: Range attribute (%s) doesn't start at %u, but at %lu"
2308	" - aborting range retreival\n",
2309	range_attr, (unsigned int)(*num_strings) + 1, range_start));
2310	ldap_memfree(range_attr);
2311	*more_strings = False;
2312	return NULL;
2313	}
2314
2315	new_strings = ads_pull_strings(ads, mem_ctx, msg, range_attr, &num_new_strings);
2316
2317	if (more_strings && ((num_strings + num_new_strings) != (range_end + 1))) {
2318	DEBUG(1, ("ads_pull_strings_range: Range attribute (%s) tells us we have %lu "
2319	"strings in this bunch, but we only got %lu - aborting range retreival\n",
2320	range_attr, (unsigned long int)range_end - range_start + 1,
2321	(unsigned long int)num_new_strings));
2322	ldap_memfree(range_attr);
2323	*more_strings = False;
2324	return NULL;
2325	}
2326
2327	strings = TALLOC_REALLOC_ARRAY(mem_ctx, current_strings, char *,
2328	*num_strings + num_new_strings);
2329
2330	if (strings == NULL) {
2331	ldap_memfree(range_attr);
2332	*more_strings = False;
2333	return NULL;
2334	}
2335
2336	if (new_strings && num_new_strings) {
2337	memcpy(&strings[*num_strings], new_strings,
2338	sizeof(new_strings) num_new_strings);
2339	}
2340
2341	(*num_strings) += num_new_strings;
2342
2343	if (*more_strings) {
2344	*next_attribute = talloc_asprintf(mem_ctx,
2345	"%s;range=%d-*",
2346	field,
2347	(int)*num_strings);
2348
2349	if (!*next_attribute) {
2350	DEBUG(1, ("talloc_asprintf for next attribute failed!\n"));
2351	ldap_memfree(range_attr);
2352	*more_strings = False;
2353	return NULL;
2354	}
2355	}
2356
2357	ldap_memfree(range_attr);
2358
2359	return strings;
2360	}
2361
2362	/**
2363	* pull a single uint32 from a ADS result
2364	* @param ads connection to ads server
2365	* @param msg Results of search
2366	* @param field Attribute to retrieve
2367	* @param v Pointer to int to store result
2368	* @return boolean inidicating success
2369	*/
2370	bool ads_pull_uint32(ADS_STRUCT ads, LDAPMessage msg, const char *field,
2371	uint32 *v)
2372	{
2373	char **values;
2374
2375	values = ldap_get_values(ads->ldap.ld, msg, field);
2376	if (!values)
2377	return False;
2378	if (!values[0]) {
2379	ldap_value_free(values);
2380	return False;
2381	}
2382
2383	*v = atoi(values[0]);
2384	ldap_value_free(values);
2385	return True;
2386	}
2387
2388	/**
2389	* pull a single objectGUID from an ADS result
2390	* @param ads connection to ADS server
2391	* @param msg results of search
2392	* @param guid 37-byte area to receive text guid
2393	* @return boolean indicating success
2394	**/
2395	bool ads_pull_guid(ADS_STRUCT ads, LDAPMessage msg, struct GUID *guid)
2396	{
2397	char **values;
2398	UUID_FLAT flat_guid;
2399
2400	values = ldap_get_values(ads->ldap.ld, msg, "objectGUID");
2401	if (!values)
2402	return False;
2403
2404	if (values[0]) {
2405	memcpy(&flat_guid.info, values[0], sizeof(UUID_FLAT));
2406	smb_uuid_unpack(flat_guid, guid);
2407	ldap_value_free(values);
2408	return True;
2409	}
2410	ldap_value_free(values);
2411	return False;
2412
2413	}
2414
2415
2416	/**
2417	* pull a single DOM_SID from a ADS result
2418	* @param ads connection to ads server
2419	* @param msg Results of search
2420	* @param field Attribute to retrieve
2421	* @param sid Pointer to sid to store result
2422	* @return boolean inidicating success
2423	*/
2424	bool ads_pull_sid(ADS_STRUCT ads, LDAPMessage msg, const char *field,
2425	DOM_SID *sid)
2426	{
2427	struct berval **values;
2428	bool ret = False;
2429
2430	values = ldap_get_values_len(ads->ldap.ld, msg, field);
2431
2432	if (!values)
2433	return False;
2434
2435	if (values[0])
2436	ret = sid_parse(values[0]->bv_val, values[0]->bv_len, sid);
2437
2438	ldap_value_free_len(values);
2439	return ret;
2440	}
2441
2442	/**
2443	* pull an array of DOM_SIDs from a ADS result
2444	* @param ads connection to ads server
2445	* @param mem_ctx TALLOC_CTX for allocating sid array
2446	* @param msg Results of search
2447	* @param field Attribute to retrieve
2448	* @param sids pointer to sid array to allocate
2449	* @return the count of SIDs pulled
2450	**/
2451	int ads_pull_sids(ADS_STRUCT ads, TALLOC_CTX mem_ctx,
2452	LDAPMessage msg, const char field, DOM_SID **sids)
2453	{
2454	struct berval **values;
2455	bool ret;
2456	int count, i;
2457
2458	values = ldap_get_values_len(ads->ldap.ld, msg, field);
2459
2460	if (!values)
2461	return 0;
2462
2463	for (i=0; values[i]; i++)
2464	/* nop */ ;
2465
2466	if (i) {
2467	(*sids) = TALLOC_ARRAY(mem_ctx, DOM_SID, i);
2468	if (!(*sids)) {
2469	ldap_value_free_len(values);
2470	return 0;
2471	}
2472	} else {
2473	(*sids) = NULL;
2474	}
2475
2476	count = 0;
2477	for (i=0; values[i]; i++) {
2478	ret = sid_parse(values[i]->bv_val, values[i]->bv_len, &(*sids)[count]);
2479	if (ret) {
2480	DEBUG(10, ("pulling SID: %s\n",
2481	sid_string_dbg(&(*sids)[count])));
2482	count++;
2483	}
2484	}
2485
2486	ldap_value_free_len(values);
2487	return count;
2488	}
2489
2490	/**
2491	* pull a SEC_DESC from a ADS result
2492	* @param ads connection to ads server
2493	* @param mem_ctx TALLOC_CTX for allocating sid array
2494	* @param msg Results of search
2495	* @param field Attribute to retrieve
2496	* @param sd Pointer to *SEC_DESC to store result (talloc()ed)
2497	* @return boolean inidicating success
2498	*/
2499	bool ads_pull_sd(ADS_STRUCT ads, TALLOC_CTX mem_ctx,
2500	LDAPMessage msg, const char field, SEC_DESC **sd)
2501	{
2502	struct berval **values;
2503	bool ret = true;
2504
2505	values = ldap_get_values_len(ads->ldap.ld, msg, field);
2506
2507	if (!values) return false;
2508
2509	if (values[0]) {
2510	NTSTATUS status;
2511	status = unmarshall_sec_desc(mem_ctx,
2512	(uint8 *)values[0]->bv_val,
2513	values[0]->bv_len, sd);
2514	if (!NT_STATUS_IS_OK(status)) {
2515	DEBUG(0, ("unmarshall_sec_desc failed: %s\n",
2516	nt_errstr(status)));
2517	ret = false;
2518	}
2519	}
2520
2521	ldap_value_free_len(values);
2522	return ret;
2523	}
2524
2525	/*
2526	* in order to support usernames longer than 21 characters we need to
2527	* use both the sAMAccountName and the userPrincipalName attributes
2528	* It seems that not all users have the userPrincipalName attribute set
2529	*
2530	* @param ads connection to ads server
2531	* @param mem_ctx TALLOC_CTX for allocating sid array
2532	* @param msg Results of search
2533	* @return the username
2534	*/
2535	char ads_pull_username(ADS_STRUCT ads, TALLOC_CTX *mem_ctx,
2536	LDAPMessage *msg)
2537	{
2538	#if 0 /* JERRY */
2539	char ret, p;
2540
2541	/* lookup_name() only works on the sAMAccountName to
2542	returning the username portion of userPrincipalName
2543	breaks winbindd_getpwnam() */
2544
2545	ret = ads_pull_string(ads, mem_ctx, msg, "userPrincipalName");
2546	if (ret && (p = strchr_m(ret, '@'))) {
2547	*p = 0;
2548	return ret;
2549	}
2550	#endif
2551	return ads_pull_string(ads, mem_ctx, msg, "sAMAccountName");
2552	}
2553
2554
2555	/**
2556	* find the update serial number - this is the core of the ldap cache
2557	* @param ads connection to ads server
2558	* @param ads connection to ADS server
2559	* @param usn Pointer to retrieved update serial number
2560	* @return status of search
2561	**/
2562	ADS_STATUS ads_USN(ADS_STRUCT ads, uint32 usn)
2563	{
2564	const char *attrs[] = {"highestCommittedUSN", NULL};
2565	ADS_STATUS status;
2566	LDAPMessage *res;
2567
2568	status = ads_do_search_retry(ads, "", LDAP_SCOPE_BASE, "(objectclass=*)", attrs, &res);
2569	if (!ADS_ERR_OK(status))
2570	return status;
2571
2572	if (ads_count_replies(ads, res) != 1) {
2573	ads_msgfree(ads, res);
2574	return ADS_ERROR(LDAP_NO_RESULTS_RETURNED);
2575	}
2576
2577	if (!ads_pull_uint32(ads, res, "highestCommittedUSN", usn)) {
2578	ads_msgfree(ads, res);
2579	return ADS_ERROR(LDAP_NO_SUCH_ATTRIBUTE);
2580	}
2581
2582	ads_msgfree(ads, res);
2583	return ADS_SUCCESS;
2584	}
2585
2586	/* parse a ADS timestring - typical string is
2587	'20020917091222.0Z0' which means 09:12.22 17th September
2588	2002, timezone 0 */
2589	static time_t ads_parse_time(const char *str)
2590	{
2591	struct tm tm;
2592
2593	ZERO_STRUCT(tm);
2594
2595	if (sscanf(str, "%4d%2d%2d%2d%2d%2d",
2596	&tm.tm_year, &tm.tm_mon, &tm.tm_mday,
2597	&tm.tm_hour, &tm.tm_min, &tm.tm_sec) != 6) {
2598	return 0;
2599	}
2600	tm.tm_year -= 1900;
2601	tm.tm_mon -= 1;
2602
2603	return timegm(&tm);
2604	}
2605
2606	/********************************************************************
2607	********************************************************************/
2608
2609	ADS_STATUS ads_current_time(ADS_STRUCT *ads)
2610	{
2611	const char *attrs[] = {"currentTime", NULL};
2612	ADS_STATUS status;
2613	LDAPMessage *res;
2614	char *timestr;
2615	TALLOC_CTX *ctx;
2616	ADS_STRUCT *ads_s = ads;
2617
2618	if (!(ctx = talloc_init("ads_current_time"))) {
2619	return ADS_ERROR(LDAP_NO_MEMORY);
2620	}
2621
2622	/* establish a new ldap tcp session if necessary */
2623
2624	if ( !ads->ldap.ld ) {
2625	if ( (ads_s = ads_init( ads->server.realm, ads->server.workgroup,
2626	ads->server.ldap_server )) == NULL )
2627	{
2628	goto done;
2629	}
2630	ads_s->auth.flags = ADS_AUTH_ANON_BIND;
2631	status = ads_connect( ads_s );
2632	if ( !ADS_ERR_OK(status))
2633	goto done;
2634	}
2635
2636	status = ads_do_search(ads_s, "", LDAP_SCOPE_BASE, "(objectclass=*)", attrs, &res);
2637	if (!ADS_ERR_OK(status)) {
2638	goto done;
2639	}
2640
2641	timestr = ads_pull_string(ads_s, ctx, res, "currentTime");
2642	if (!timestr) {
2643	ads_msgfree(ads_s, res);
2644	status = ADS_ERROR(LDAP_NO_RESULTS_RETURNED);
2645	goto done;
2646	}
2647
2648	/* but save the time and offset in the original ADS_STRUCT */
2649
2650	ads->config.current_time = ads_parse_time(timestr);
2651
2652	if (ads->config.current_time != 0) {
2653	ads->auth.time_offset = ads->config.current_time - time(NULL);
2654	DEBUG(4,("time offset is %d seconds\n", ads->auth.time_offset));
2655	}
2656
2657	ads_msgfree(ads, res);
2658
2659	status = ADS_SUCCESS;
2660
2661	done:
2662	/* free any temporary ads connections */
2663	if ( ads_s != ads ) {
2664	ads_destroy( &ads_s );
2665	}
2666	talloc_destroy(ctx);
2667
2668	return status;
2669	}
2670
2671	/********************************************************************
2672	********************************************************************/
2673
2674	ADS_STATUS ads_domain_func_level(ADS_STRUCT ads, uint32 val)
2675	{
2676	const char *attrs[] = {"domainFunctionality", NULL};
2677	ADS_STATUS status;
2678	LDAPMessage *res;
2679	ADS_STRUCT *ads_s = ads;
2680
2681	*val = DS_DOMAIN_FUNCTION_2000;
2682
2683	/* establish a new ldap tcp session if necessary */
2684
2685	if ( !ads->ldap.ld ) {
2686	if ( (ads_s = ads_init( ads->server.realm, ads->server.workgroup,
2687	ads->server.ldap_server )) == NULL )
2688	{
2689	status = ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
2690	goto done;
2691	}
2692	ads_s->auth.flags = ADS_AUTH_ANON_BIND;
2693	status = ads_connect( ads_s );
2694	if ( !ADS_ERR_OK(status))
2695	goto done;
2696	}
2697
2698	/* If the attribute does not exist assume it is a Windows 2000
2699	functional domain */
2700
2701	status = ads_do_search(ads_s, "", LDAP_SCOPE_BASE, "(objectclass=*)", attrs, &res);
2702	if (!ADS_ERR_OK(status)) {
2703	if ( status.err.rc == LDAP_NO_SUCH_ATTRIBUTE ) {
2704	status = ADS_SUCCESS;
2705	}
2706	goto done;
2707	}
2708
2709	if ( !ads_pull_uint32(ads_s, res, "domainFunctionality", val) ) {
2710	DEBUG(5,("ads_domain_func_level: Failed to pull the domainFunctionality attribute.\n"));
2711	}
2712	DEBUG(3,("ads_domain_func_level: %d\n", *val));
2713
2714
2715	ads_msgfree(ads, res);
2716
2717	done:
2718	/* free any temporary ads connections */
2719	if ( ads_s != ads ) {
2720	ads_destroy( &ads_s );
2721	}
2722
2723	return status;
2724	}
2725
2726	/**
2727	* find the domain sid for our domain
2728	* @param ads connection to ads server
2729	* @param sid Pointer to domain sid
2730	* @return status of search
2731	**/
2732	ADS_STATUS ads_domain_sid(ADS_STRUCT ads, DOM_SID sid)
2733	{
2734	const char *attrs[] = {"objectSid", NULL};
2735	LDAPMessage *res;
2736	ADS_STATUS rc;
2737
2738	rc = ads_do_search_retry(ads, ads->config.bind_path, LDAP_SCOPE_BASE, "(objectclass=*)",
2739	attrs, &res);
2740	if (!ADS_ERR_OK(rc)) return rc;
2741	if (!ads_pull_sid(ads, res, "objectSid", sid)) {
2742	ads_msgfree(ads, res);
2743	return ADS_ERROR_SYSTEM(ENOENT);
2744	}
2745	ads_msgfree(ads, res);
2746
2747	return ADS_SUCCESS;
2748	}
2749
2750	/**
2751	* find our site name
2752	* @param ads connection to ads server
2753	* @param mem_ctx Pointer to talloc context
2754	* @param site_name Pointer to the sitename
2755	* @return status of search
2756	**/
2757	ADS_STATUS ads_site_dn(ADS_STRUCT ads, TALLOC_CTX mem_ctx, const char **site_name)
2758	{
2759	ADS_STATUS status;
2760	LDAPMessage *res;
2761	const char dn, service_name;
2762	const char *attrs[] = { "dsServiceName", NULL };
2763
2764	status = ads_do_search(ads, "", LDAP_SCOPE_BASE, "(objectclass=*)", attrs, &res);
2765	if (!ADS_ERR_OK(status)) {
2766	return status;
2767	}
2768
2769	service_name = ads_pull_string(ads, mem_ctx, res, "dsServiceName");
2770	if (service_name == NULL) {
2771	ads_msgfree(ads, res);
2772	return ADS_ERROR(LDAP_NO_RESULTS_RETURNED);
2773	}
2774
2775	ads_msgfree(ads, res);
2776
2777	/* go up three levels */
2778	dn = ads_parent_dn(ads_parent_dn(ads_parent_dn(service_name)));
2779	if (dn == NULL) {
2780	return ADS_ERROR(LDAP_NO_MEMORY);
2781	}
2782
2783	*site_name = talloc_strdup(mem_ctx, dn);
2784	if (*site_name == NULL) {
2785	return ADS_ERROR(LDAP_NO_MEMORY);
2786	}
2787
2788	return status;
2789	/*
2790	dsServiceName: CN=NTDS Settings,CN=W2K3DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ber,DC=suse,DC=de
2791	*/
2792	}
2793
2794	/**
2795	* find the site dn where a machine resides
2796	* @param ads connection to ads server
2797	* @param mem_ctx Pointer to talloc context
2798	* @param computer_name name of the machine
2799	* @param site_name Pointer to the sitename
2800	* @return status of search
2801	**/
2802	ADS_STATUS ads_site_dn_for_machine(ADS_STRUCT ads, TALLOC_CTX mem_ctx, const char computer_name, const char *site_dn)
2803	{
2804	ADS_STATUS status;
2805	LDAPMessage *res;
2806	const char parent, filter;
2807	char *config_context = NULL;
2808	char *dn;
2809
2810	/* shortcut a query */
2811	if (strequal(computer_name, ads->config.ldap_server_name)) {
2812	return ads_site_dn(ads, mem_ctx, site_dn);
2813	}
2814
2815	status = ads_config_path(ads, mem_ctx, &config_context);
2816	if (!ADS_ERR_OK(status)) {
2817	return status;
2818	}
2819
2820	filter = talloc_asprintf(mem_ctx, "(cn=%s)", computer_name);
2821	if (filter == NULL) {
2822	return ADS_ERROR(LDAP_NO_MEMORY);
2823	}
2824
2825	status = ads_do_search(ads, config_context, LDAP_SCOPE_SUBTREE,
2826	filter, NULL, &res);
2827	if (!ADS_ERR_OK(status)) {
2828	return status;
2829	}
2830
2831	if (ads_count_replies(ads, res) != 1) {
2832	ads_msgfree(ads, res);
2833	return ADS_ERROR(LDAP_NO_SUCH_OBJECT);
2834	}
2835
2836	dn = ads_get_dn(ads, res);
2837	if (dn == NULL) {
2838	ads_msgfree(ads, res);
2839	return ADS_ERROR(LDAP_NO_MEMORY);
2840	}
2841
2842	/* go up three levels */
2843	parent = ads_parent_dn(ads_parent_dn(ads_parent_dn(dn)));
2844	if (parent == NULL) {
2845	ads_msgfree(ads, res);
2846	ads_memfree(ads, dn);
2847	return ADS_ERROR(LDAP_NO_MEMORY);
2848	}
2849
2850	*site_dn = talloc_strdup(mem_ctx, parent);
2851	if (*site_dn == NULL) {
2852	ads_msgfree(ads, res);
2853	ads_memfree(ads, dn);
2854	return ADS_ERROR(LDAP_NO_MEMORY);
2855	}
2856
2857	ads_memfree(ads, dn);
2858	ads_msgfree(ads, res);
2859
2860	return status;
2861	}
2862
2863	/**
2864	* get the upn suffixes for a domain
2865	* @param ads connection to ads server
2866	* @param mem_ctx Pointer to talloc context
2867	* @param suffixes Pointer to an array of suffixes
2868	* @param num_suffixes Pointer to the number of suffixes
2869	* @return status of search
2870	**/
2871	ADS_STATUS ads_upn_suffixes(ADS_STRUCT ads, TALLOC_CTX mem_ctx, char **suffixes, size_t num_suffixes)
2872	{
2873	ADS_STATUS status;
2874	LDAPMessage *res;
2875	const char *base;
2876	char *config_context = NULL;
2877	const char *attrs[] = { "uPNSuffixes", NULL };
2878
2879	status = ads_config_path(ads, mem_ctx, &config_context);
2880	if (!ADS_ERR_OK(status)) {
2881	return status;
2882	}
2883
2884	base = talloc_asprintf(mem_ctx, "cn=Partitions,%s", config_context);
2885	if (base == NULL) {
2886	return ADS_ERROR(LDAP_NO_MEMORY);
2887	}
2888
2889	status = ads_search_dn(ads, &res, base, attrs);
2890	if (!ADS_ERR_OK(status)) {
2891	return status;
2892	}
2893
2894	if (ads_count_replies(ads, res) != 1) {
2895	ads_msgfree(ads, res);
2896	return ADS_ERROR(LDAP_NO_SUCH_OBJECT);
2897	}
2898
2899	(*suffixes) = ads_pull_strings(ads, mem_ctx, res, "uPNSuffixes", num_suffixes);
2900	if ((*suffixes) == NULL) {
2901	ads_msgfree(ads, res);
2902	return ADS_ERROR(LDAP_NO_MEMORY);
2903	}
2904
2905	ads_msgfree(ads, res);
2906
2907	return status;
2908	}
2909
2910	/**
2911	* get the joinable ous for a domain
2912	* @param ads connection to ads server
2913	* @param mem_ctx Pointer to talloc context
2914	* @param ous Pointer to an array of ous
2915	* @param num_ous Pointer to the number of ous
2916	* @return status of search
2917	**/
2918	ADS_STATUS ads_get_joinable_ous(ADS_STRUCT *ads,
2919	TALLOC_CTX *mem_ctx,
2920	char ***ous,
2921	size_t *num_ous)
2922	{
2923	ADS_STATUS status;
2924	LDAPMessage *res = NULL;
2925	LDAPMessage *msg = NULL;
2926	const char *attrs[] = { "dn", NULL };
2927	int count = 0;
2928
2929	status = ads_search(ads, &res,
2930	"(\|(objectClass=domain)(objectclass=organizationalUnit))",
2931	attrs);
2932	if (!ADS_ERR_OK(status)) {
2933	return status;
2934	}
2935
2936	count = ads_count_replies(ads, res);
2937	if (count < 1) {
2938	ads_msgfree(ads, res);
2939	return ADS_ERROR(LDAP_NO_RESULTS_RETURNED);
2940	}
2941
2942	for (msg = ads_first_entry(ads, res); msg;
2943	msg = ads_next_entry(ads, msg)) {
2944
2945	char *dn = NULL;
2946
2947	dn = ads_get_dn(ads, msg);
2948	if (!dn) {
2949	ads_msgfree(ads, res);
2950	return ADS_ERROR(LDAP_NO_MEMORY);
2951	}
2952
2953	if (!add_string_to_array(mem_ctx, dn,
2954	(const char ***)ous,
2955	(int *)num_ous)) {
2956	ads_memfree(ads, dn);
2957	ads_msgfree(ads, res);
2958	return ADS_ERROR(LDAP_NO_MEMORY);
2959	}
2960
2961	ads_memfree(ads, dn);
2962	}
2963
2964	ads_msgfree(ads, res);
2965
2966	return status;
2967	}
2968
2969
2970	/**
2971	* pull a DOM_SID from an extended dn string
2972	* @param mem_ctx TALLOC_CTX
2973	* @param extended_dn string
2974	* @param flags string type of extended_dn
2975	* @param sid pointer to a DOM_SID
2976	* @return NT_STATUS_OK on success,
2977	* NT_INVALID_PARAMETER on error,
2978	* NT_STATUS_NOT_FOUND if no SID present
2979	**/
2980	ADS_STATUS ads_get_sid_from_extended_dn(TALLOC_CTX *mem_ctx,
2981	const char *extended_dn,
2982	enum ads_extended_dn_flags flags,
2983	DOM_SID *sid)
2984	{
2985	char p, q, *dn;
2986
2987	if (!extended_dn) {
2988	return ADS_ERROR_NT(NT_STATUS_INVALID_PARAMETER);
2989	}
2990
2991	/* otherwise extended_dn gets stripped off */
2992	if ((dn = talloc_strdup(mem_ctx, extended_dn)) == NULL) {
2993	return ADS_ERROR_NT(NT_STATUS_INVALID_PARAMETER);
2994	}
2995	/*
2996	* ADS_EXTENDED_DN_HEX_STRING:
2997	* <GUID=238e1963cb390f4bb032ba0105525a29>;<SID=010500000000000515000000bb68c8fd6b61b427572eb04556040000>;CN=gd,OU=berlin,OU=suse,DC=ber,DC=suse,DC=de
2998	*
2999	* ADS_EXTENDED_DN_STRING (only with w2k3):
3000	* <GUID=63198e23-39cb-4b0f-b032-ba0105525a29>;<SID=S-1-5-21-4257769659-666132843-1169174103-1110>;CN=gd,OU=berlin,OU=suse,DC=ber,DC=suse,DC=de
3001	*
3002	* Object with no SID, such as an Exchange Public Folder
3003	* <GUID=28907fb4bdf6854993e7f0a10b504e7c>;CN=public,CN=Microsoft Exchange System Objects,DC=sd2k3ms,DC=west,DC=isilon,DC=com
3004	*/
3005
3006	p = strchr(dn, ';');
3007	if (!p) {
3008	return ADS_ERROR_NT(NT_STATUS_INVALID_PARAMETER);
3009	}
3010
3011	if (strncmp(p, ";<SID=", strlen(";<SID=")) != 0) {
3012	DEBUG(5,("No SID present in extended dn\n"));
3013	return ADS_ERROR_NT(NT_STATUS_NOT_FOUND);
3014	}
3015
3016	p += strlen(";<SID=");
3017
3018	q = strchr(p, '>');
3019	if (!q) {
3020	return ADS_ERROR_NT(NT_STATUS_INVALID_PARAMETER);
3021	}
3022
3023	*q = '\0';
3024
3025	DEBUG(100,("ads_get_sid_from_extended_dn: sid string is %s\n", p));
3026
3027	switch (flags) {
3028
3029	case ADS_EXTENDED_DN_STRING:
3030	if (!string_to_sid(sid, p)) {
3031	return ADS_ERROR_NT(NT_STATUS_INVALID_PARAMETER);
3032	}
3033	break;
3034	case ADS_EXTENDED_DN_HEX_STRING: {
3035	fstring buf;
3036	size_t buf_len;
3037
3038	buf_len = strhex_to_str(buf, sizeof(buf), p, strlen(p));
3039	if (buf_len == 0) {
3040	return ADS_ERROR_NT(NT_STATUS_INVALID_PARAMETER);
3041	}
3042
3043	if (!sid_parse(buf, buf_len, sid)) {
3044	DEBUG(10,("failed to parse sid\n"));
3045	return ADS_ERROR_NT(NT_STATUS_INVALID_PARAMETER);
3046	}
3047	break;
3048	}
3049	default:
3050	DEBUG(10,("unknown extended dn format\n"));
3051	return ADS_ERROR_NT(NT_STATUS_INVALID_PARAMETER);
3052	}
3053
3054	return ADS_ERROR_NT(NT_STATUS_OK);
3055	}
3056
3057	/**
3058	* pull an array of DOM_SIDs from a ADS result
3059	* @param ads connection to ads server
3060	* @param mem_ctx TALLOC_CTX for allocating sid array
3061	* @param msg Results of search
3062	* @param field Attribute to retrieve
3063	* @param flags string type of extended_dn
3064	* @param sids pointer to sid array to allocate
3065	* @return the count of SIDs pulled
3066	**/
3067	int ads_pull_sids_from_extendeddn(ADS_STRUCT *ads,
3068	TALLOC_CTX *mem_ctx,
3069	LDAPMessage *msg,
3070	const char *field,
3071	enum ads_extended_dn_flags flags,
3072	DOM_SID **sids)
3073	{
3074	int i;
3075	ADS_STATUS rc;
3076	size_t dn_count, ret_count = 0;
3077	char **dn_strings;
3078
3079	if ((dn_strings = ads_pull_strings(ads, mem_ctx, msg, field,
3080	&dn_count)) == NULL) {
3081	return 0;
3082	}
3083
3084	(*sids) = TALLOC_ZERO_ARRAY(mem_ctx, DOM_SID, dn_count + 1);
3085	if (!(*sids)) {
3086	TALLOC_FREE(dn_strings);
3087	return 0;
3088	}
3089
3090	for (i=0; i<dn_count; i++) {
3091	rc = ads_get_sid_from_extended_dn(mem_ctx, dn_strings[i],
3092	flags, &(*sids)[i]);
3093	if (!ADS_ERR_OK(rc)) {
3094	if (NT_STATUS_EQUAL(ads_ntstatus(rc),
3095	NT_STATUS_NOT_FOUND)) {
3096	continue;
3097	}
3098	else {
3099	TALLOC_FREE(*sids);
3100	TALLOC_FREE(dn_strings);
3101	return 0;
3102	}
3103	}
3104	ret_count++;
3105	}
3106
3107	TALLOC_FREE(dn_strings);
3108
3109	return ret_count;
3110	}
3111
3112	/********************************************************************
3113	********************************************************************/
3114
3115	char* ads_get_dnshostname( ADS_STRUCT ads, TALLOC_CTX ctx, const char *machine_name )
3116	{
3117	LDAPMessage *res = NULL;
3118	ADS_STATUS status;
3119	int count = 0;
3120	char *name = NULL;
3121
3122	status = ads_find_machine_acct(ads, &res, global_myname());
3123	if (!ADS_ERR_OK(status)) {
3124	DEBUG(0,("ads_get_dnshostname: Failed to find account for %s\n",
3125	global_myname()));
3126	goto out;
3127	}
3128
3129	if ( (count = ads_count_replies(ads, res)) != 1 ) {
3130	DEBUG(1,("ads_get_dnshostname: %d entries returned!\n", count));
3131	goto out;
3132	}
3133
3134	if ( (name = ads_pull_string(ads, ctx, res, "dNSHostName")) == NULL ) {
3135	DEBUG(0,("ads_get_dnshostname: No dNSHostName attribute!\n"));
3136	}
3137
3138	out:
3139	ads_msgfree(ads, res);
3140
3141	return name;
3142	}
3143
3144	/********************************************************************
3145	********************************************************************/
3146
3147	char* ads_get_upn( ADS_STRUCT ads, TALLOC_CTX ctx, const char *machine_name )
3148	{
3149	LDAPMessage *res = NULL;
3150	ADS_STATUS status;
3151	int count = 0;
3152	char *name = NULL;
3153
3154	status = ads_find_machine_acct(ads, &res, machine_name);
3155	if (!ADS_ERR_OK(status)) {
3156	DEBUG(0,("ads_get_upn: Failed to find account for %s\n",
3157	global_myname()));
3158	goto out;
3159	}
3160
3161	if ( (count = ads_count_replies(ads, res)) != 1 ) {
3162	DEBUG(1,("ads_get_upn: %d entries returned!\n", count));
3163	goto out;
3164	}
3165
3166	if ( (name = ads_pull_string(ads, ctx, res, "userPrincipalName")) == NULL ) {
3167	DEBUG(2,("ads_get_upn: No userPrincipalName attribute!\n"));
3168	}
3169
3170	out:
3171	ads_msgfree(ads, res);
3172
3173	return name;
3174	}
3175
3176	/********************************************************************
3177	********************************************************************/
3178
3179	char* ads_get_samaccountname( ADS_STRUCT ads, TALLOC_CTX ctx, const char *machine_name )
3180	{
3181	LDAPMessage *res = NULL;
3182	ADS_STATUS status;
3183	int count = 0;
3184	char *name = NULL;
3185
3186	status = ads_find_machine_acct(ads, &res, global_myname());
3187	if (!ADS_ERR_OK(status)) {
3188	DEBUG(0,("ads_get_dnshostname: Failed to find account for %s\n",
3189	global_myname()));
3190	goto out;
3191	}
3192
3193	if ( (count = ads_count_replies(ads, res)) != 1 ) {
3194	DEBUG(1,("ads_get_dnshostname: %d entries returned!\n", count));
3195	goto out;
3196	}
3197
3198	if ( (name = ads_pull_string(ads, ctx, res, "sAMAccountName")) == NULL ) {
3199	DEBUG(0,("ads_get_dnshostname: No sAMAccountName attribute!\n"));
3200	}
3201
3202	out:
3203	ads_msgfree(ads, res);
3204
3205	return name;
3206	}
3207
3208	#if 0
3209
3210	SAVED CODE - we used to join via ldap - remember how we did this. JRA.
3211
3212	/**
3213	* Join a machine to a realm
3214	* Creates the machine account and sets the machine password
3215	* @param ads connection to ads server
3216	* @param machine name of host to add
3217	* @param org_unit Organizational unit to place machine in
3218	* @return status of join
3219	**/
3220	ADS_STATUS ads_join_realm(ADS_STRUCT ads, const char machine_name,
3221	uint32 account_type, const char *org_unit)
3222	{
3223	ADS_STATUS status;
3224	LDAPMessage *res = NULL;
3225	char *machine;
3226
3227	/* machine name must be lowercase */
3228	machine = SMB_STRDUP(machine_name);
3229	strlower_m(machine);
3230
3231	/*
3232	status = ads_find_machine_acct(ads, (void **)&res, machine);
3233	if (ADS_ERR_OK(status) && ads_count_replies(ads, res) == 1) {
3234	DEBUG(0, ("Host account for %s already exists - deleting old account\n", machine));
3235	status = ads_leave_realm(ads, machine);
3236	if (!ADS_ERR_OK(status)) {
3237	DEBUG(0, ("Failed to delete host '%s' from the '%s' realm.\n",
3238	machine, ads->config.realm));
3239	return status;
3240	}
3241	}
3242	*/
3243	status = ads_add_machine_acct(ads, machine, account_type, org_unit);
3244	if (!ADS_ERR_OK(status)) {
3245	DEBUG(0, ("ads_join_realm: ads_add_machine_acct failed (%s): %s\n", machine, ads_errstr(status)));
3246	SAFE_FREE(machine);
3247	return status;
3248	}
3249
3250	status = ads_find_machine_acct(ads, (void *)(void )&res, machine);
3251	if (!ADS_ERR_OK(status)) {
3252	DEBUG(0, ("ads_join_realm: Host account test failed for machine %s\n", machine));
3253	SAFE_FREE(machine);
3254	return status;
3255	}
3256
3257	SAFE_FREE(machine);
3258	ads_msgfree(ads, res);
3259
3260	return status;
3261	}
3262	#endif
3263
3264	/**
3265	* Delete a machine from the realm
3266	* @param ads connection to ads server
3267	* @param hostname Machine to remove
3268	* @return status of delete
3269	**/
3270	ADS_STATUS ads_leave_realm(ADS_STRUCT ads, const char hostname)
3271	{
3272	ADS_STATUS status;
3273	void *msg;
3274	LDAPMessage *res;
3275	char hostnameDN, host;
3276	int rc;
3277	LDAPControl ldap_control;
3278	LDAPControl * pldap_control[2] = {NULL, NULL};
3279
3280	pldap_control[0] = &ldap_control;
3281	memset(&ldap_control, 0, sizeof(LDAPControl));
3282	ldap_control.ldctl_oid = (char *)LDAP_SERVER_TREE_DELETE_OID;
3283
3284	/* hostname must be lowercase */
3285	host = SMB_STRDUP(hostname);
3286	strlower_m(host);
3287
3288	status = ads_find_machine_acct(ads, &res, host);
3289	if (!ADS_ERR_OK(status)) {
3290	DEBUG(0, ("Host account for %s does not exist.\n", host));
3291	SAFE_FREE(host);
3292	return status;
3293	}
3294
3295	msg = ads_first_entry(ads, res);
3296	if (!msg) {
3297	SAFE_FREE(host);
3298	return ADS_ERROR_SYSTEM(ENOENT);
3299	}
3300
3301	hostnameDN = ads_get_dn(ads, (LDAPMessage *)msg);
3302
3303	rc = ldap_delete_ext_s(ads->ldap.ld, hostnameDN, pldap_control, NULL);
3304	if (rc) {
3305	DEBUG(3,("ldap_delete_ext_s failed with error code %d\n", rc));
3306	}else {
3307	DEBUG(3,("ldap_delete_ext_s succeeded with error code %d\n", rc));
3308	}
3309
3310	if (rc != LDAP_SUCCESS) {
3311	const char *attrs[] = { "cn", NULL };
3312	LDAPMessage *msg_sub;
3313
3314	/* we only search with scope ONE, we do not expect any further
3315	* objects to be created deeper */
3316
3317	status = ads_do_search_retry(ads, hostnameDN,
3318	LDAP_SCOPE_ONELEVEL,
3319	"(objectclass=*)", attrs, &res);
3320
3321	if (!ADS_ERR_OK(status)) {
3322	SAFE_FREE(host);
3323	ads_memfree(ads, hostnameDN);
3324	return status;
3325	}
3326
3327	for (msg_sub = ads_first_entry(ads, res); msg_sub;
3328	msg_sub = ads_next_entry(ads, msg_sub)) {
3329
3330	char *dn = NULL;
3331
3332	if ((dn = ads_get_dn(ads, msg_sub)) == NULL) {
3333	SAFE_FREE(host);
3334	ads_memfree(ads, hostnameDN);
3335	return ADS_ERROR(LDAP_NO_MEMORY);
3336	}
3337
3338	status = ads_del_dn(ads, dn);
3339	if (!ADS_ERR_OK(status)) {
3340	DEBUG(3,("failed to delete dn %s: %s\n", dn, ads_errstr(status)));
3341	SAFE_FREE(host);
3342	ads_memfree(ads, dn);
3343	ads_memfree(ads, hostnameDN);
3344	return status;
3345	}
3346
3347	ads_memfree(ads, dn);
3348	}
3349
3350	/* there should be no subordinate objects anymore */
3351	status = ads_do_search_retry(ads, hostnameDN,
3352	LDAP_SCOPE_ONELEVEL,
3353	"(objectclass=*)", attrs, &res);
3354
3355	if (!ADS_ERR_OK(status) \|\| ( (ads_count_replies(ads, res)) > 0 ) ) {
3356	SAFE_FREE(host);
3357	ads_memfree(ads, hostnameDN);
3358	return status;
3359	}
3360
3361	/* delete hostnameDN now */
3362	status = ads_del_dn(ads, hostnameDN);
3363	if (!ADS_ERR_OK(status)) {
3364	SAFE_FREE(host);
3365	DEBUG(3,("failed to delete dn %s: %s\n", hostnameDN, ads_errstr(status)));
3366	ads_memfree(ads, hostnameDN);
3367	return status;
3368	}
3369	}
3370
3371	ads_memfree(ads, hostnameDN);
3372
3373	status = ads_find_machine_acct(ads, &res, host);
3374	if (ADS_ERR_OK(status) && ads_count_replies(ads, res) == 1) {
3375	DEBUG(3, ("Failed to remove host account.\n"));
3376	SAFE_FREE(host);
3377	return status;
3378	}
3379
3380	SAFE_FREE(host);
3381	return status;
3382	}
3383
3384	/**
3385	* pull all token-sids from an LDAP dn
3386	* @param ads connection to ads server
3387	* @param mem_ctx TALLOC_CTX for allocating sid array
3388	* @param dn of LDAP object
3389	* @param user_sid pointer to DOM_SID (objectSid)
3390	* @param primary_group_sid pointer to DOM_SID (self composed)
3391	* @param sids pointer to sid array to allocate
3392	* @param num_sids counter of SIDs pulled
3393	* @return status of token query
3394	**/
3395	ADS_STATUS ads_get_tokensids(ADS_STRUCT *ads,
3396	TALLOC_CTX *mem_ctx,
3397	const char *dn,
3398	DOM_SID *user_sid,
3399	DOM_SID *primary_group_sid,
3400	DOM_SID **sids,
3401	size_t *num_sids)
3402	{
3403	ADS_STATUS status;
3404	LDAPMessage *res = NULL;
3405	int count = 0;
3406	size_t tmp_num_sids;
3407	DOM_SID *tmp_sids;
3408	DOM_SID tmp_user_sid;
3409	DOM_SID tmp_primary_group_sid;
3410	uint32 pgid;
3411	const char *attrs[] = {
3412	"objectSid",
3413	"tokenGroups",
3414	"primaryGroupID",
3415	NULL
3416	};
3417
3418	status = ads_search_retry_dn(ads, &res, dn, attrs);
3419	if (!ADS_ERR_OK(status)) {
3420	return status;
3421	}
3422
3423	count = ads_count_replies(ads, res);
3424	if (count != 1) {
3425	ads_msgfree(ads, res);
3426	return ADS_ERROR_LDAP(LDAP_NO_SUCH_OBJECT);
3427	}
3428
3429	if (!ads_pull_sid(ads, res, "objectSid", &tmp_user_sid)) {
3430	ads_msgfree(ads, res);
3431	return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
3432	}
3433
3434	if (!ads_pull_uint32(ads, res, "primaryGroupID", &pgid)) {
3435	ads_msgfree(ads, res);
3436	return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
3437	}
3438
3439	{
3440	/* hack to compose the primary group sid without knowing the
3441	* domsid */
3442
3443	DOM_SID domsid;
3444	uint32 dummy_rid;
3445
3446	sid_copy(&domsid, &tmp_user_sid);
3447
3448	if (!sid_split_rid(&domsid, &dummy_rid)) {
3449	ads_msgfree(ads, res);
3450	return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
3451	}
3452
3453	if (!sid_compose(&tmp_primary_group_sid, &domsid, pgid)) {
3454	ads_msgfree(ads, res);
3455	return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
3456	}
3457	}
3458
3459	tmp_num_sids = ads_pull_sids(ads, mem_ctx, res, "tokenGroups", &tmp_sids);
3460
3461	if (tmp_num_sids == 0 \|\| !tmp_sids) {
3462	ads_msgfree(ads, res);
3463	return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
3464	}
3465
3466	if (num_sids) {
3467	*num_sids = tmp_num_sids;
3468	}
3469
3470	if (sids) {
3471	*sids = tmp_sids;
3472	}
3473
3474	if (user_sid) {
3475	*user_sid = tmp_user_sid;
3476	}
3477
3478	if (primary_group_sid) {
3479	*primary_group_sid = tmp_primary_group_sid;
3480	}
3481
3482	DEBUG(10,("ads_get_tokensids: returned %d sids\n", (int)tmp_num_sids + 2));
3483
3484	ads_msgfree(ads, res);
3485	return ADS_ERROR_LDAP(LDAP_SUCCESS);
3486	}
3487
3488	/**
3489	* Find a sAMAccoutName in LDAP
3490	* @param ads connection to ads server
3491	* @param mem_ctx TALLOC_CTX for allocating sid array
3492	* @param samaccountname to search
3493	* @param uac_ret uint32 pointer userAccountControl attribute value
3494	* @param dn_ret pointer to dn
3495	* @return status of token query
3496	**/
3497	ADS_STATUS ads_find_samaccount(ADS_STRUCT *ads,
3498	TALLOC_CTX *mem_ctx,
3499	const char *samaccountname,
3500	uint32 *uac_ret,
3501	const char **dn_ret)
3502	{
3503	ADS_STATUS status;
3504	const char *attrs[] = { "userAccountControl", NULL };
3505	const char *filter;
3506	LDAPMessage *res = NULL;
3507	char *dn = NULL;
3508	uint32 uac = 0;
3509
3510	filter = talloc_asprintf(mem_ctx, "(&(objectclass=user)(sAMAccountName=%s))",
3511	samaccountname);
3512	if (filter == NULL) {
3513	status = ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
3514	goto out;
3515	}
3516
3517	status = ads_do_search_all(ads, ads->config.bind_path,
3518	LDAP_SCOPE_SUBTREE,
3519	filter, attrs, &res);
3520
3521	if (!ADS_ERR_OK(status)) {
3522	goto out;
3523	}
3524
3525	if (ads_count_replies(ads, res) != 1) {
3526	status = ADS_ERROR(LDAP_NO_RESULTS_RETURNED);
3527	goto out;
3528	}
3529
3530	dn = ads_get_dn(ads, res);
3531	if (dn == NULL) {
3532	status = ADS_ERROR(LDAP_NO_MEMORY);
3533	goto out;
3534	}
3535
3536	if (!ads_pull_uint32(ads, res, "userAccountControl", &uac)) {
3537	status = ADS_ERROR(LDAP_NO_SUCH_ATTRIBUTE);
3538	goto out;
3539	}
3540
3541	if (uac_ret) {
3542	*uac_ret = uac;
3543	}
3544
3545	if (dn_ret) {
3546	*dn_ret = talloc_strdup(mem_ctx, dn);
3547	if (!*dn_ret) {
3548	status = ADS_ERROR(LDAP_NO_MEMORY);
3549	goto out;
3550	}
3551	}
3552	out:
3553	ads_memfree(ads, dn);
3554	ads_msgfree(ads, res);
3555
3556	return status;
3557	}
3558
3559	/**
3560	* find our configuration path
3561	* @param ads connection to ads server
3562	* @param mem_ctx Pointer to talloc context
3563	* @param config_path Pointer to the config path
3564	* @return status of search
3565	**/
3566	ADS_STATUS ads_config_path(ADS_STRUCT *ads,
3567	TALLOC_CTX *mem_ctx,
3568	char **config_path)
3569	{
3570	ADS_STATUS status;
3571	LDAPMessage *res = NULL;
3572	const char *config_context = NULL;
3573	const char *attrs[] = { "configurationNamingContext", NULL };
3574
3575	status = ads_do_search(ads, "", LDAP_SCOPE_BASE,
3576	"(objectclass=*)", attrs, &res);
3577	if (!ADS_ERR_OK(status)) {
3578	return status;
3579	}
3580
3581	config_context = ads_pull_string(ads, mem_ctx, res,
3582	"configurationNamingContext");
3583	ads_msgfree(ads, res);
3584	if (!config_context) {
3585	return ADS_ERROR(LDAP_NO_MEMORY);
3586	}
3587
3588	if (config_path) {
3589	*config_path = talloc_strdup(mem_ctx, config_context);
3590	if (!*config_path) {
3591	return ADS_ERROR(LDAP_NO_MEMORY);
3592	}
3593	}
3594
3595	return ADS_ERROR(LDAP_SUCCESS);
3596	}
3597
3598	/**
3599	* find the displayName of an extended right
3600	* @param ads connection to ads server
3601	* @param config_path The config path
3602	* @param mem_ctx Pointer to talloc context
3603	* @param GUID struct of the rightsGUID
3604	* @return status of search
3605	**/
3606	const char ads_get_extended_right_name_by_guid(ADS_STRUCT ads,
3607	const char *config_path,
3608	TALLOC_CTX *mem_ctx,
3609	const struct GUID *rights_guid)
3610	{
3611	ADS_STATUS rc;
3612	LDAPMessage *res = NULL;
3613	char *expr = NULL;
3614	const char *attrs[] = { "displayName", NULL };
3615	const char *result = NULL;
3616	const char *path;
3617
3618	if (!ads \|\| !mem_ctx \|\| !rights_guid) {
3619	goto done;
3620	}
3621
3622	expr = talloc_asprintf(mem_ctx, "(rightsGuid=%s)",
3623	smb_uuid_string(mem_ctx, *rights_guid));
3624	if (!expr) {
3625	goto done;
3626	}
3627
3628	path = talloc_asprintf(mem_ctx, "cn=Extended-Rights,%s", config_path);
3629	if (!path) {
3630	goto done;
3631	}
3632
3633	rc = ads_do_search_retry(ads, path, LDAP_SCOPE_SUBTREE,
3634	expr, attrs, &res);
3635	if (!ADS_ERR_OK(rc)) {
3636	goto done;
3637	}
3638
3639	if (ads_count_replies(ads, res) != 1) {
3640	goto done;
3641	}
3642
3643	result = ads_pull_string(ads, mem_ctx, res, "displayName");
3644
3645	done:
3646	ads_msgfree(ads, res);
3647	return result;
3648
3649	}
3650
3651	/**
3652	* verify or build and verify an account ou
3653	* @param mem_ctx Pointer to talloc context
3654	* @param ads connection to ads server
3655	* @param account_ou
3656	* @return status of search
3657	**/
3658
3659	ADS_STATUS ads_check_ou_dn(TALLOC_CTX *mem_ctx,
3660	ADS_STRUCT *ads,
3661	const char **account_ou)
3662	{
3663	struct ldb_dn *name_dn = NULL;
3664	const char *name = NULL;
3665	char *ou_string = NULL;
3666
3667	name_dn = ldb_dn_explode(mem_ctx, *account_ou);
3668	if (name_dn) {
3669	return ADS_SUCCESS;
3670	}
3671
3672	ou_string = ads_ou_string(ads, *account_ou);
3673	if (!ou_string) {
3674	return ADS_ERROR_LDAP(LDAP_INVALID_DN_SYNTAX);
3675	}
3676
3677	name = talloc_asprintf(mem_ctx, "%s,%s", ou_string,
3678	ads->config.bind_path);
3679	SAFE_FREE(ou_string);
3680	if (!name) {
3681	return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
3682	}
3683
3684	name_dn = ldb_dn_explode(mem_ctx, name);
3685	if (!name_dn) {
3686	return ADS_ERROR_LDAP(LDAP_INVALID_DN_SYNTAX);
3687	}
3688
3689	*account_ou = talloc_strdup(mem_ctx, name);
3690	if (!*account_ou) {
3691	return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
3692	}
3693
3694	return ADS_SUCCESS;
3695	}
3696
3697	#endif

Note: See TracBrowser for help on using the repository browser.

Download in other formats: