smbns_ads.c revision 6537f381d2d9e7b4e2f7b29c3e7a3f13be036f2e
/*
* CDDL HEADER START
*
* The contents of this file are subject to the terms of the
* Common Development and Distribution License (the "License").
* You may not use this file except in compliance with the License.
*
* You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
* See the License for the specific language governing permissions
* and limitations under the License.
*
* When distributing Covered Code, include this CDDL HEADER in each
* file and include the License file at usr/src/OPENSOLARIS.LICENSE.
* If applicable, add the following below this CDDL HEADER, with the
* fields enclosed by brackets "[]" replaced with your own identifying
* information: Portions Copyright [yyyy] [name of copyright owner]
*
* CDDL HEADER END
*/
/*
* Copyright 2008 Sun Microsystems, Inc. All rights reserved.
* Use is subject to license terms.
*/
#pragma ident "%Z%%M% %I% %E% SMI"
#include <ldap.h>
#include <stdlib.h>
#include <netdb.h>
#include <pthread.h>
#include <unistd.h>
#include <resolv.h>
#include <string.h>
#include <strings.h>
#include <syslog.h>
#include <fcntl.h>
#include <smbsrv/libsmbns.h>
#include <smbns_ads.h>
#include <smbns_dyndns.h>
#include <smbns_krb.h>
#define ADS_DN_MAX 300
#define ADS_MAXMSGLEN 512
#define ADS_COMPUTERS_CN "Computers"
#define ADS_COMPUTER_NUM_ATTR 7
#define ADS_SHARE_NUM_ATTR 3
#define ADS_SITE_MAX MAXHOSTNAMELEN
/* current ADS server to communicate with */
char ads_site[ADS_SITE_MAX];
/*
* adjoin_errmsg
*
* Use the adjoin return status defined in adjoin_status_t as the index
* to this table.
*/
static char *adjoin_errmsg[] = {
"ADJOIN succeeded.",
"ADJOIN failed to get handle.",
"ADJOIN failed to generate machine password.",
"ADJOIN failed to add workstation trust account.",
"ADJOIN failed to modify workstation trust account.",
"ADJOIN failed to get list of encryption types.",
"ADJOIN failed to initialize kerberos context.",
"ADJOIN failed to get Kerberos principal.",
"ADJOIN failed to set machine account password on AD.",
"ADJOIN failed to modify CONTROL attribute of the account.",
"ADJOIN failed to write Kerberos keytab file.",
"ADJOIN failed to configure domain_name property for idmapd.",
"ADJOIN failed to refresh idmap service."
};
static int ads_bind(ADS_HANDLE *);
static ADS_HOST_INFO *ads_get_host_info(void);
static void ads_free_host_info(void);
static void ads_free_spnset(char **spn_set);
/*
* ads_init
*
* Initializes the ads_site global variable.
*/
void
ads_init(void)
{
(void) mutex_lock(&ads_site_mtx);
(void) mutex_unlock(&ads_site_mtx);
}
/*
* ads_refresh
*
* If the ads_site has changed, clear the ads_host_info cache.
*/
void
ads_refresh(void)
{
char new_site[ADS_SITE_MAX];
(void) mutex_lock(&ads_site_mtx);
}
(void) mutex_unlock(&ads_site_mtx);
}
/*
* ads_build_unc_name
*
* Construct the UNC name of the share object in the format of
* \\hostname.domain\shareUNC
*
* Returns 0 on success, -1 on error.
*/
int
{
char my_domain[MAXHOSTNAMELEN];
return (-1);
return (0);
}
/*
* ads_skip_domain_name
* Skip domain name format in DNS message. The format is a sequence of
* ascii labels with each label having a length byte at the beginning.
* The domain name is terminated with a NULL character.
* i.e. 3sun3com0
* Parameters:
* bufptr: address of pointer of buffer that contains domain name
* Returns:
* bufptr: points to the data after the domain name label
*/
static void
ads_skip_domain_name(char **bufptr)
{
int i = 0;
unsigned char c, d;
c = (*bufptr)[i++];
d = c & 0xC0;
while (c != 0 && (d != 0xC0)) { /* do nothing */
c = (*bufptr)[i++];
d = c & 0xC0;
}
if (d == 0xC0)
/* skip 2nd byte in 2 byte ptr info */
i++;
*bufptr += i;
}
static int
{
unsigned char c;
c = len & 0xC0;
if (c == 0xC0) {
offset &= 0x3FFF;
if (offset > NS_PACKETSZ) {
return (-1);
}
return (1);
}
return (0);
}
/*
* ads_get_domain_name
* Converts the domain name format in DNS message back to string format.
* The format is a sequence of ascii labels with each label having a length
* byte at the beginning. The domain name is terminated with a NULL
* character.
* i.e. 6procom3com0 -> procom.com
* Parameters:
* bufptr : address of pointer to buffer that contains domain name
* dname_len: length of domain name in label format
* Returns:
* NULL : error
* domain name: in string format using allocated memory
* bufptr : points to the data after the domain name label
*/
static char *
{
int skip = 0;
i = 0;
k = 0;
/* get len of first label */
if (skip == 0) {
/* skip up to first ptr */
skip = i;
}
i = 0;
/* get len of first label */
} else {
if (ret == -1) {
return (NULL);
}
}
while (len) {
return (NULL);
for (j = 0; j < len; j++)
/* get len of next label */
if (skip == 0) {
/* skip up to first ptr */
skip = i;
}
i = 0;
/* get len of first label */
} else if (ret == -1) {
return (NULL);
}
if (len) {
/* replace label len or ptr with '.' */
str[k++] = '.';
}
}
str[k] = 0;
if (skip) {
/* skip name with ptr or just ptr */
} else {
/* skip name */
*bufptr += i;
}
}
/*
* ads_ping
* Ping IP without displaying log. This is used to ping an ADS server to see
* if it is still alive before connecting to it with TCP.
* Parameters:
* hostinetaddr: 4 bytes IP address in network byte order
* Returns:
* -1: error
* 0: successful
*/
/*ARGSUSED*/
static int
ads_ping(unsigned long hostinetaddr)
{
return (0);
}
/*
* ads_free_host_list
*/
static void
{
int i;
for (i = 0; i < count; i++) {
}
}
/*
* ads_set_host_info
* Cache the result of the ADS discovery if the cache is empty.
*/
static void
{
(void) mutex_lock(&ads_host_mtx);
if (!ads_host_info)
(void) mutex_unlock(&ads_host_mtx);
}
/*
* ads_get_host_info
* Get the cached ADS host info.
*/
static ADS_HOST_INFO *
ads_get_host_info(void)
{
(void) mutex_lock(&ads_host_mtx);
(void) mutex_unlock(&ads_host_mtx);
return (host);
}
/*
* ads_find_host
* This routine builds a DNS service location message and sends it to the
* DNS server via UDP to query it for a list of ADS server(s). Once a reply
* is received, the reply message is parsed to get the hostname and IP
* addresses of the ADS server(s). One ADS server will be selected from the
* list. A ping is sent to each host at a time and the one that respond will
* be selected.
*
* The service location of _ldap._tcp.dc.msdcs.<ADS domain> is used to
* guarantee that Microsoft domain controllers are returned. Microsoft domain
* controllers are also ADS servers.
*
* The ADS hostnames are stored in the answer section of the DNS reply message.
* The IP addresses are stored in the additional section.
*
* The DNS reply message may be in compress formed. The compression is done
* on repeating domain name label in the message. i.e hostname.
* Parameters:
* ns: Nameserver to use to find the ADS host
* domain: domain of ADS host.
* sought: the ADS host to be sought. It can be set to empty string to find
* any ADS hosts in that domain.
*
* Returns:
* ADS host: fully qualified hostname, ip address, ldap port
* port : LDAP port of ADS host
*/
/*ARGSUSED*/
int *go_next)
{
int s;
int ipaddr;
int i, ret;
int queryReq;
int quest_type, quest_class;
int dns_ip;
int force_recurs = 0;
*go_next = 0;
/*
* If we have already found an ADS server in the given domain, return
* the cached ADS host if either the sought host is not specified or
* the cached ADS host matches the sought host.
*/
if (ads_host) {
if (same_domain && (!sought ||
return (ads_host);
}
return (NULL);
}
return (NULL);
/* build query request */
query_cnt = 1;
ans_cnt = 0;
namser_cnt = 0;
addit_cnt = 0;
id = dns_get_msgid();
(void) close(s);
return (NULL);
}
(void) close(s);
return (NULL);
}
(void) close(s);
*go_next = 1;
return (NULL);
}
(void) close(s);
return (NULL);
/*
* check if query is successful by checking error
* field in UDP
*/
ret);
*go_next = 1;
return (NULL);
}
if (ans_cnt == 0) {
/* Check if the server supports recursive queries */
goto retry;
}
"No answer section\n");
return (NULL);
}
/* skip question section */
if (query_cnt == 1) {
bufptr += 4;
} else {
"question section, query_cnt: %d???\n", query_cnt);
return (NULL);
}
ads_hosts_list = (ADS_HOST_INFO *)
if (ads_hosts_list == NULL)
return (NULL);
/* check answer section */
for (i = 0; i < ans_cnt; i++) {
/* skip type, class, ttl */
bufptr += 8;
/* len of data after this point */
/* skip priority, weight */
bufptr += 4;
"error decoding DNS answer section\n");
return (NULL);
}
}
/* check authority section */
for (i = 0; i < namser_cnt; i++) {
/* skip type, class, ttl */
bufptr += 8;
/* get len of data */
/* skip data */
}
/* check additional section to get IP address of ads host */
if (addit_cnt > 0) {
int j;
ads_hosts_list2 = (ADS_HOST_INFO *)
if (ads_hosts_list2 == NULL) {
return (NULL);
}
for (i = 0; i < addit_cnt; i++) {
"error decoding DNS additional section\n");
return (NULL);
}
bufptr += 10;
}
/* pick a host that is up */
for (i = 0; i < addit_cnt; i++) {
if ((sought) &&
continue;
continue;
}
for (j = 0; j < ans_cnt; j++)
ads_hosts_list[j].name) == 0)
break;
if (j == ans_cnt) {
return (NULL);
}
ads_host = (ADS_HOST_INFO *)
malloc(sizeof (ADS_HOST_INFO));
return (NULL);
}
return (NULL);
}
return (ads_host);
}
}
"ADS host or ADS host is down.\n");
*go_next = 1;
return (NULL);
}
/*
* ads_convert_domain
* Converts a domain string into its distinguished name i.e. a unique
* name for an entry in the Directory Service.
* Memory is allocated
* for the new string.
* i.e. procom.com -> dc=procom,dc=com
* Parameters:
* s: fully qualified DNS domain string
* Returns:
* NULL if error
* DNS domain in LDAP DN string format
*/
static char *
ads_convert_domain(char *s)
{
if (s == NULL || *s == 0)
return (NULL);
cnt = 0;
t = s;
while (*t) {
if (*t++ == '.') {
cnt++;
}
}
return (NULL);
t = s2;
t += 3;
t2 = s;
while (*s) {
if (*s == '.') {
"buffer overrun for string "
"conversion of %s: tot buf "
"sz alloc: %d, last "
"written buf offset: %d\n",
return (NULL);
}
t += 4;
s++;
} else {
"buffer overrun for string "
"conversion of %s: tot buf "
"sz alloc: %d, last "
"written buf offset: %d\n",
return (NULL);
}
*t++ = *s++;
}
}
*t = '\0';
return (s2);
}
/*
* ads_free_host_info
* Free the memory use by the global ads_host_info and set it to NULL.
*/
static void
ads_free_host_info(void)
{
(void) mutex_lock(&ads_host_mtx);
if (ads_host_info) {
}
(void) mutex_unlock(&ads_host_mtx);
}
/*
* ads_open
* Open a LDAP connection to an ADS server if the system is in domain mode.
* Acquire both Kerberos TGT and LDAP service tickets for the host principal.
*
* This function should only be called after the system is successfully joined
* to a domain.
*/
ads_open(void)
{
char domain[MAXHOSTNAMELEN];
if (smb_config_get_secmode() != SMB_SECMODE_DOMAIN)
return (NULL);
return (NULL);
}
/*
* ads_open_main
* Open a LDAP connection to an ADS server.
* If ADS is enabled and the administrative username, password, and
* ADS domain are defined then query DNS to find an ADS server if this is the
* very first call to this routine. After an ADS server is found then this
* server will be used everytime this routine is called until the system is
* rebooted or the ADS server becomes unavailable then an ADS server will
* be queried again. The ADS server is always ping before an LDAP connection
* is made to it. If the pings fail then DNS is used once more to find an
* available ADS server. If the ping is successful then an LDAP connection
* is made to the ADS server. After the connection is made then an ADS handle
* is created to be returned.
*
* After the LDAP connection, the LDAP version will be set to 3 using
* ldap_set_option().
*
* The ads_bind() routine is also called before the ADS handle is returned.
* Parameters:
* domain - fully-qualified domain name
* user - the user account for whom the Kerberos TGT ticket and ADS
* service tickets are acquired.
* password - password of the specified user
*
* Returns:
* NULL : can't connect to ADS server or other errors
* ADS_HANDLE* : handle to ADS server
*/
static ADS_HANDLE *
{
ADS_HANDLE *ah;
char site[ADS_SITE_MAX];
char service[MAXHOSTNAMELEN];
char site_service[MAXHOSTNAMELEN];
(void) mutex_lock(&ads_site_mtx);
(void) mutex_unlock(&ads_site_mtx);
find_ads_retry = 0;
if (!ads_host) {
if (*site != '\0') {
} else {
*site_service = '\0';
}
"_ldap._tcp.dc._msdcs.%s", domain);
go_next = 0;
for (i = 0; i < cnt; i++) {
if (*site_service != '\0') {
&go_next);
}
}
break;
if (go_next == 0)
break;
}
}
"configured nameservers");
return (NULL);
}
if (find_ads_retry == 0) {
find_ads_retry = 1;
goto find_ads_host;
}
return (NULL);
}
return (NULL);
}
if (find_ads_retry == 0) {
find_ads_retry = 1;
goto find_ads_host;
}
return (NULL);
}
!= LDAP_SUCCESS) {
"LDAP_OPT_PROTOCOL_VERSION %d\n", version);
(void) ldap_unbind(ld);
return (NULL);
}
return (NULL);
}
return (NULL);
}
return (NULL);
}
if (site) {
return (NULL);
}
} else {
}
return (NULL);
}
return (ah);
}
/*
* ads_close
* Close connection to ADS server and free memory allocated for ADS handle.
* LDAP unbind is called here.
* Parameters:
* ah: handle to ADS server
* Returns:
* void
*/
void
{
int len;
return;
/* close and free connection resources */
/* zero out the memory that contains user's password */
if (len > 0)
}
}
/*
* ads_display_stat
* Display error message for GSS-API routines.
* Parameters:
* maj: GSS major status
* min: GSS minor status
* Returns:
* None
*/
static void
{
}
/*
* ads_alloc_attr
*
* Since the attrs is a null-terminated array, all elements
* in the array (except the last one) will point to allocated
* memory.
*/
static int
{
int i;
for (i = 0; i < (num - 1); i++) {
return (-1);
}
}
return (0);
}
/*
* ads_free_attr
* Free memory allocated when publishing a share.
* Parameters:
* attrs: an array of LDAPMod pointers
* Returns:
* None
*/
static void
{
int i;
for (i = 0; attrs[i]; i++) {
}
}
/*
* ads_get_spnset
*
* Derives the core set of SPNs based on the FQHN.
* The spn_set is a null-terminated array of char pointers.
*
* Returns 0 upon success. Otherwise, returns -1.
*/
static int
{
int i;
for (i = 0; i < SMBKRB5_SPN_IDX_MAX; i++) {
return (-1);
}
}
return (0);
}
/*
* ads_free_spnset
*
* Free the memory allocated for the set of SPNs.
*/
static void
ads_free_spnset(char **spn_set)
{
int i;
for (i = 0; spn_set[i]; i++)
}
/*
* ads_acquire_cred
* Called by ads_bind() to get a handle to administrative user's credential
* stored locally on the system. The credential is the TGT. If the attempt at
* getting handle fails then a second attempt will be made after getting a
* new TGT.
* Please look at ads_bind() for more information.
*
* Paramters:
* ah : handle to ADS server
* kinit_retry: if 0 then a second attempt will be made to get handle to the
* credential if the first attempt fails
* Returns:
* cred_handle: handle to the administrative user's credential (TGT)
* oid : contains Kerberos 5 object identifier
* kinit_retry: A 1 indicates that a second attempt has been made to get
* handle to the credential and no further attempts can be made
* -1 : error
* 0 : success
*/
static int
int *kinit_retry)
{
kinit_retry, "ads"));
}
/*
* ads_establish_sec_context
* Called by ads_bind() to establish a security context to an LDAP service on
* an ADS server. If the attempt at establishing the security context fails
* then a second attempt will be made by ads_bind() if a new TGT has not been
* already obtained in ads_acquire_cred. The second attempt, if allowed, will
* obtained a new TGT here and a new handle to the credential will also be
* obtained in ads_acquire_cred. LDAP SASL bind is used to send and receive
* the GSS tokens to and from the ADS server.
* Please look at ads_bind for more information.
* Paramters:
* ah : handle to ADS server
* cred_handle : handle to administrative user's credential (TGT)
* oid : Kerberos 5 object identifier
* kinit_retry : if 0 then a second attempt can be made to establish a
* security context with ADS server if first attempt fails
* Returns:
* gss_context : security context to ADS server
* sercred : encrypted ADS server's supported security layers
* do_acquire_cred: if 1 then a second attempt will be made to establish a
* security context with ADS server after getting a new
* handle to the user's credential
* kinit_retry : if 1 then a second attempt will be made to establish a
* a security context and no further attempts can be made
* -1 : error
* 0 : success
*/
static int
int *kinit_retry, int *do_acquire_cred)
{
char service_name[ADS_MAXBUFLEN];
int stat;
int gss_flags;
&target_name)) != GSS_S_COMPLETE) {
if (oid != GSS_C_NO_OID)
return (-1);
}
do {
if (oid != GSS_C_NO_OID)
return (-1);
}
if (*sercred) {
}
if (stat != LDAP_SUCCESS &&
/* LINTED - E_SEC_PRINTF_VAR_FMT */
if (oid != GSS_C_NO_OID)
return (-1);
}
} while (maj != GSS_S_COMPLETE);
if (oid != GSS_C_NO_OID)
return (0);
}
/*
* ads_negotiate_sec_layer
* Call by ads_bind() to negotiate additional security layer for further
* communication after security context establishment. No additional security
* is needed so a "no security layer" is negotiated. The security layer is
* described in the SASL RFC 2478 and this step is needed for secure LDAP
* binding. LDAP SASL bind is used to send and receive the GSS tokens to and
* from the ADS server.
* Please look at ads_bind for more information.
*
* Paramters:
* ah : handle to ADS server
* gss_context: security context to ADS server
* sercred : encrypted ADS server's supported security layers
* Returns:
* -1 : error
* 0 : success
*/
static int
{
int conf_state, sec_layer;
char auth_id[5];
int stat;
/* check for server supported security layer */
if (sercred)
return (-1);
}
if (!(sec_layer & 1)) {
"no security layer!\n");
return (-1);
}
/* no security layer needed after successful binding */
auth_id[0] = 0x01;
/* byte 2-4: max client recv size in network byte order */
conf_state = 0;
return (-1);
}
&sercred);
/* LINTED - E_SEC_PRINTF_VAR_FMT */
return (-1);
}
if (sercred)
return (0);
}
/*
* ads_bind
* Use secure binding to bind to ADS server.
* Use GSS-API with Kerberos 5 as the security mechanism and LDAP SASL with
* Kerberos 5 as the security mechanisn to authenticate, obtain a security
* context, and securely bind an administrative user so that other LDAP
* commands can be used, i.e. add and delete.
*
* To obtain the security context, a Kerberos ticket-granting ticket (TGT)
* for the user is needed to obtain a ticket for the LDAP service. To get
* a TGT for the user, the username and password is needed. Once a TGT is
* obtained then it will be stored locally and used until it is expired.
* This routine will automatically obtained a TGT for the first time or when
* it expired. LDAP SASL bind is then finally used to send GSS tokens to
* obtain a security context for the LDAP service on the ADS server. If
* there is any problem getting the security context then a new TGT will be
* obtain to try getting the security context once more.
*
* After the security context is obtain and established, the LDAP SASL bind
* is used to negotiate an additional security layer. No further security is
* needed so a "no security layer" is negotiated. After this the security
* context can be deleted and further LDAP commands can be sent to the ADS
* server until a LDAP unbind command is issued to the ADS server.
* Paramaters:
* ah: handle to ADS server
* Returns:
* -1: error
* 0: success
*/
static int
{
int kinit_retry, do_acquire_cred;
int rc = 0;
kinit_retry = 0;
do_acquire_cred = 0;
return (-1);
if (do_acquire_cred) {
do_acquire_cred = 0;
goto acquire_cred;
}
return (-1);
}
if (cred_handle != GSS_C_NO_CREDENTIAL)
return ((rc) ? -1 : 0);
}
/*
* ads_add_share
* Call by ads_publish_share to create share object in ADS.
* This routine specifies the attributes of an ADS LDAP share object. The first
* attribute and values define the type of ADS object, the share object. The
* second attribute and value define the UNC of the share data for the share
* object. The LDAP synchronous add command is used to add the object into ADS.
* The container location to add the object needs to specified.
* Parameters:
* ah : handle to ADS server
* adsShareName: name of share object to be created in ADS
* shareUNC : share name on NetForce
* adsContainer: location in ADS to create share object
*
* Returns:
* -1 : error
* 0 : success
*/
int
const char *unc_name, const char *adsContainer)
{
int j = 0;
char *share_dn;
char buf[ADS_MAXMSGLEN];
return (-1);
return (-1);
}
tmp1[0] = "top";
tmp1[4] = 0;
tmp2[1] = 0;
"ads_add_share: %s:", share_dn);
/* LINTED - E_SEC_PRINTF_VAR_FMT */
return (ret);
}
"Share %s has been added to ADS container: %s.\n", adsShareName,
return (0);
}
/*
* ads_del_share
* Call by ads_remove_share to remove share object from ADS. The container
* location to remove the object needs to specified. The LDAP synchronous
* delete command is used.
* Parameters:
* ah : handle to ADS server
* adsShareName: name of share object in ADS to be removed
* adsContainer: location of share object in ADS
* Returns:
* -1 : error
* 0 : success
*/
static int
const char *adsContainer)
{
return (-1);
/* LINTED - E_SEC_PRINTF_VAR_FMT */
return (-1);
}
"Share %s has been removed from ADS container: %s.\n",
return (0);
}
/*
* ads_escape_search_filter_chars
*
* This routine will escape the special characters found in a string
* that will later be passed to the ldap search filter.
*
* RFC 1960 - A String Representation of LDAP Search Filters
* 3. String Search Filter Definition
* If a value must contain one of the characters '*' OR '(' OR ')',
* these characters
* should be escaped by preceding them with the backslash '\' character.
*
* RFC 2252 - LDAP Attribute Syntax Definitions
* a backslash quoting mechanism is used to escape
* the following separator symbol character (such as "'", "$" or "#") if
* it should occur in that string.
*/
static int
{
return (-1);
while (*src) {
if (!avail) {
*dst = 0;
return (-1);
}
switch (*src) {
case '\\':
case '\'':
case '$':
case '#':
case '*':
case '(':
case ')':
*dst++ = '\\';
avail--;
/* fall through */
default:
avail--;
}
}
*dst = 0;
return (0);
}
/*
* ads_lookup_share
* The search filter is set to search for a specific share name in the
* specified ADS container. The LDSAP synchronous search command is used.
* Parameters:
* ah : handle to ADS server
* adsShareName: name of share object in ADS to be searched
* adsContainer: location of share object in ADS
* Returns:
* -1 : error
* 0 : not found
* 1 : found
*/
int
const char *adsContainer, char *unc_name)
{
char *share_dn;
char tmpbuf[ADS_MAXBUFLEN];
return (-1);
return (-1);
attrs[0] = "cn";
return (-1);
}
"(&(objectClass=volume)(uNCName=%s))", tmpbuf);
/* LINTED - E_SEC_PRINTF_VAR_FMT */
(void) ldap_msgfree(res);
return (0);
}
/* no match is found */
(void) ldap_msgfree(res);
return (0);
}
/* free the search results */
(void) ldap_msgfree(res);
return (1);
}
/*
* ads_convert_directory
* Convert relative share directory to UNC to be appended to hostname.
* i.e. cvol/a/b -> cvol\a\b
*/
char *
ads_convert_directory(char *rel_dir)
{
char *t, *s2;
int len;
return (NULL);
return (NULL);
t = s2;
while (*rel_dir) {
if (*rel_dir == '/') {
*t++ = '\\';
rel_dir++;
} else {
*t++ = *rel_dir++;
}
}
*t = '\0';
return (s2);
}
/*
* ads_publish_share
* Publish share into ADS. If a share name already exist in ADS in the same
* container then the existing share object is removed before adding the new
* share object.
* Parameters:
* ah : handle return from ads_open
* adsShareName: name of share to be added to ADS directory
* shareUNC : name of share on client, can be NULL to use the same name
* as adsShareName
* adsContainer: location for share to be added in ADS directory, ie
* ou=share_folder
* uncType : use UNC_HOSTNAME to use hostname for UNC, use UNC_HOSTADDR
* to use host ip addr for UNC.
* Returns:
* -1 : error
* 0 : success
*/
int
{
int ret;
char unc_name[ADS_MAXBUFLEN];
return (-1);
"[missing UNC name]", shareUNC);
return (-1);
}
switch (ret) {
case 1:
break;
case 0:
if (ret == LDAP_ALREADY_EXISTS) {
"[name is already in use]", adsShareName);
ret = -1;
}
break;
case -1:
default:
/* return with error code */
ret = -1;
}
return (ret);
}
/*
* ads_remove_share
* Remove share from ADS. A search is done first before explicitly removing
* the share.
* Parameters:
* ah : handle return from ads_open
* adsShareName: name of share to be removed from ADS directory
* adsContainer: location for share to be removed from ADS directory, ie
* ou=share_folder
* Returns:
* -1 : error
* 0 : success
*/
int
const char *adsContainer, const char *hostname)
{
int ret;
char unc_name[ADS_MAXBUFLEN];
return (-1);
"ADS [missing UNC name]", shareUNC);
return (-1);
}
if (ret == 0)
return (0);
if (ret == -1)
return (-1);
}
/*
* ads_get_computer_dn
*
* Build the distinguish name for this system.
*/
static void
{
char hostname[MAXHOSTNAMELEN];
}
/*
* ads_add_computer
*
* Returns 0 upon success. Otherwise, returns -1.
*/
static int
{
}
/*
* ads_modify_computer
*
* Returns 0 upon success. Otherwise, returns -1.
*/
static int
{
}
static int
{
int j = -1;
int ret, usrctl_flags = 0;
char fqhost[MAXHOSTNAMELEN];
char dn[ADS_DN_MAX];
char *user_principal;
char usrctl_buf[16];
int max;
return (-1);
return (-1);
if (user_principal == NULL) {
return (-1);
}
return (-1);
}
/* objectClass attribute is not modifiable. */
if (op == LDAP_MOD_ADD) {
oc_vals[0] = "top";
oc_vals[5] = 0;
}
sam_val[1] = 0;
usr_val[0] = user_principal;
usr_val[1] = 0;
ctl_val[0] = usrctl_buf;
ctl_val[1] = 0;
fqh_val[1] = 0;
switch (op) {
case LDAP_MOD_ADD:
ret = -1;
}
break;
case LDAP_MOD_REPLACE:
ret = -1;
}
break;
default:
ret = -1;
}
return (ret);
}
/*
* Delete an ADS computer account.
*/
static void
{
char dn[ADS_DN_MAX];
int rc;
}
}
/*
* ads_lookup_computer_n_attr
*
* Lookup the value of the specified attribute on the computer
* object. If the specified attribute can be found, its value is returned
* via 'val' parameter.
*
* 'attr' parameter can be set to NULL if you only attempt to
* see whether the computer object exists on AD or not.
*
* Return:
* 1 if both the computer and the specified attribute is found.
* 0 if either the computer or the specified attribute is not found.
* -1 on error.
*/
static int
{
char **vals;
char tmpbuf[ADS_MAXBUFLEN];
char dn[ADS_DN_MAX];
return (-1);
return (-1);
}
tmpbuf);
&res) != LDAP_SUCCESS) {
(void) ldap_msgfree(res);
return (0);
}
if (attr) {
/* no match for the specified attribute is found */
if (val)
(void) ldap_msgfree(res);
return (0);
}
if (entry) {
(void) ldap_msgfree(res);
return (0);
}
}
}
/* free the search results */
(void) ldap_msgfree(res);
return (1);
}
/*
* ads_find_computer
*
* Return:
* 1 if found.
* 0 if not found or encounters error.
*/
static int
{
}
/*
* ads_update_computer_cntrl_attr
*
* Modify the user account control attribute of an existing computer
* object on AD.
*
* Returns 0 on success. Otherwise, returns -1.
*/
static int
{
char *ctl_val[2];
int ret, usrctl_flags = 0;
char dn[ADS_DN_MAX];
char usrctl_buf[16];
return (-1);
if (des_only)
ctl_val[0] = usrctl_buf;
ctl_val[1] = 0;
ret = -1;
}
return (ret);
}
/*
* ads_update_attrs
*
* Updates the servicePrincipalName and dNSHostName attributes of the
* system's AD computer object.
*/
int
ads_update_attrs(void)
{
ADS_HANDLE *ah;
char *fqh_val[2];
int i = 0;
int ret;
char fqhost[MAXHOSTNAMELEN];
char dn[ADS_DN_MAX];
return (-1);
return (-1);
}
return (-1);
}
return (-1);
}
fqh_val[1] = 0;
ret = -1;
}
return (ret);
}
/*
* ads_lookup_computer_attr_kvno
*
* Lookup the value of the Kerberos version number attribute of the computer
* account.
*/
static krb5_kvno
{
int kvno = 1;
&val) == 1) {
if (val) {
}
}
return (kvno);
}
/*
* ads_gen_machine_passwd
*
* Returned a null-terminated machine password generated randomly
* from [0-9a-zA-Z] character set. In order to pass the password
* quality check (three character classes), an uppercase letter is
* used as the first character of the machine password.
*/
static int
{
char *data = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJK"
"LMNOPQRSTUVWXYZ";
int i, data_idx;
if (!machine_passwd || bufsz == 0)
return (-1);
/*
* The decimal value of upper case 'A' is 65. Randomly pick
* an upper-case letter from the ascii table.
*/
}
return (0);
}
/*
* ads_domain_change_cleanup
*
* If we're attempting to join the system to a new domain, the keys for
* the host principal regarding the old domain should be removed from
* Kerberos keytab. Also, the ads_host_info cache should be cleared.
*
* newdom is fully-qualified domain name. It can be set to empty string
* if user attempts to switch to workgroup mode.
*/
int
ads_domain_change_cleanup(char *newdom)
{
char origdom[MAXHOSTNAMELEN];
int rc;
return (0);
}
return (0);
if (smb_krb5_ctx_init(&ctx) != 0)
return (-1);
return (-1);
}
return (rc);
}
/*
* ads_join
*
* Besides the NT-4 style domain join (using MS-RPC), CIFS server also
* provides the domain join using Kerberos Authentication, Keberos
* Change & Set password, and LDAP protocols. Basically, AD join
* operation would require the following tickets to be acquired for the
* the user account that is provided for the domain join.
*
* 1) a Keberos TGT ticket,
* 2) a ldap service ticket, and
*
* The ADS client first sends a ldap search request to find out whether
* or not the workstation trust account already exists in the Active Directory.
* The existing computer object for this workstation will be removed and
* a new one will be added. The machine account password is randomly
* generated and set for the newly created computer object using KPASSD
* protocol (See RFC 3244). Once the password is set, our ADS client
* finalizes the machine account by modifying the user acount control
* attribute of the computer object. Kerberos keys derived from the machine
* account password will be stored locally in /etc/krb5/krb5.keytab file.
* That would be needed while acquiring Kerberos TGT ticket for the host
* principal after the domain join operation.
*/
int len)
{
/*
* Call library functions that can be used to get
* the list of encryption algorithms available on the system.
* (similar to what 'encrypt -l' CLI does). For now,
* unless someone has modified the configuration of the
* cryptographic framework (very unlikely), the following is the
* list of algorithms available on any system running Nevada
* by default.
*/
return (ADJOIN_ERR_GET_HANDLE);
}
return (ADJOIN_ERR_GEN_PASSWD);
}
if (ads_find_computer(ah)) {
if (ads_modify_computer(ah) != 0) {
return (ADJOIN_ERR_MOD_TRUST_ACCT);
}
} else {
if (ads_add_computer(ah) != 0) {
return (ADJOIN_ERR_ADD_TRUST_ACCT);
}
}
/*
* If we are talking to a Longhorn server, we need to set up
* the msDS-SupportedEncryptionTypes attribute of the computer
* object accordingly
*
* The code to modify the msDS-SupportedEncryptionTypes can be
* added once we figure out why the Longhorn server rejects the
* SmbSessionSetup request sent by SMB redirector.
*/
if (smb_krb5_ctx_init(&ctx) != 0) {
goto adjoin_cleanup;
}
goto adjoin_cleanup;
}
machine_passwd) != 0) {
goto adjoin_cleanup;
}
goto adjoin_cleanup;
}
(sizeof (enctypes) / sizeof (krb5_enctype))) != 0) {
goto adjoin_cleanup;
}
/* Set IDMAP config */
goto adjoin_cleanup;
}
/* Refresh IDMAP service */
if (smb_config_refresh_idmap() != 0) {
goto adjoin_cleanup;
}
if (rc != ADJOIN_ERR_INIT_KRB_CTX) {
if (rc != ADJOIN_ERR_GET_SPNS)
}
return (rc);
}
/*
* adjoin_report_err
*
* Display error message for the specific adjoin error code.
*/
char *
{
return ("ADJOIN: unknown status");
return (adjoin_errmsg[status]);
}