smbns_ads.c revision c28afb19581b550bf02e148f953e3b239421e1ee
/*
* CDDL HEADER START
*
* The contents of this file are subject to the terms of the
* Common Development and Distribution License (the "License").
* You may not use this file except in compliance with the License.
*
* You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
* See the License for the specific language governing permissions
* and limitations under the License.
*
* When distributing Covered Code, include this CDDL HEADER in each
* file and include the License file at usr/src/OPENSOLARIS.LICENSE.
* If applicable, add the following below this CDDL HEADER, with the
* fields enclosed by brackets "[]" replaced with your own identifying
* information: Portions Copyright [yyyy] [name of copyright owner]
*
* CDDL HEADER END
*/
/*
*/
#include <ldap.h>
#include <stdlib.h>
#include <netdb.h>
#include <pthread.h>
#include <unistd.h>
#include <resolv.h>
#include <string.h>
#include <strings.h>
#include <fcntl.h>
#include <assert.h>
#include <note.h>
#include <errno.h>
#include <cryptoutil.h>
#include <smbsrv/libsmbns.h>
#include <smbns_dyndns.h>
#include <smbns_krb.h>
#define SMB_ADS_MAXBUFLEN 100
#define SMB_ADS_DN_MAX 300
#define SMB_ADS_MAXMSGLEN 512
#define SMB_ADS_COMPUTERS_CN "Computers"
#define SMB_ADS_COMPUTER_NUM_ATTR 8
#define SMB_ADS_SHARE_NUM_ATTR 3
#define SMB_ADS_SITE_MAX MAXHOSTNAMELEN
/*
* [MS-DISO] A machine password is an ASCII string of randomly chosen
* characters. Each character's ASCII code is between 32 and 122 inclusive.
*/
#define SMB_ADS_PWD_CHAR_NUM 91
#define SMB_ADS_PWD_CHAR_START 32
#define SMB_ADS_MSDCS_SRV_DC_RR "_ldap._tcp.dc._msdcs"
#define SMB_ADS_MSDCS_SRV_SITE_RR "_ldap._tcp.%s._sites.dc._msdcs"
/*
* domainControllerFunctionality
*
* This rootDSE attribute indicates the functional level of the DC.
*/
#define SMB_ADS_ATTR_DCLEVEL "domainControllerFunctionality"
#define SMB_ADS_DCLEVEL_W2K 0
#define SMB_ADS_DCLEVEL_W2K3 2
#define SMB_ADS_DCLEVEL_W2K8 3
#define SMB_ADS_DCLEVEL_W2K8_R2 4
/*
* msDs-supportedEncryptionTypes (Windows Server 2008 only)
*
* This attribute defines the encryption types supported by the system.
* Encryption Types:
* - DES cbc mode with CRC-32
* - DES cbc mode with RSA-MD5
* - AES-128
* - AES-256
*/
#define SMB_ADS_ATTR_ENCTYPES "msDs-supportedEncryptionTypes"
#define SMB_ADS_ENC_DES_CRC 1
#define SMB_ADS_ENC_DES_MD5 2
#define SMB_ADS_ENC_RC4 4
#define SMB_ADS_ENC_AES128 8
#define SMB_ADS_ENC_AES256 16
static krb5_enctype w2k8enctypes[] = {
};
static krb5_enctype pre_w2k8enctypes[] = {
};
#define SMB_ADS_ATTR_SAMACCT "sAMAccountName"
#define SMB_ADS_ATTR_UPN "userPrincipalName"
#define SMB_ADS_ATTR_SPN "servicePrincipalName"
#define SMB_ADS_ATTR_CTL "userAccountControl"
#define SMB_ADS_ATTR_DNSHOST "dNSHostName"
#define SMB_ADS_ATTR_KVNO "msDS-KeyVersionNumber"
#define SMB_ADS_ATTR_DN "distinguishedName"
/*
* UserAccountControl flags: manipulate user account properties.
*
* The hexadecimal value of the following property flags are based on MSDN
* article # 305144.
*/
#define SMB_ADS_USER_ACCT_CTL_SCRIPT 0x00000001
#define SMB_ADS_USER_ACCT_CTL_ACCOUNTDISABLE 0x00000002
#define SMB_ADS_USER_ACCT_CTL_HOMEDIR_REQUIRED 0x00000008
#define SMB_ADS_USER_ACCT_CTL_LOCKOUT 0x00000010
#define SMB_ADS_USER_ACCT_CTL_PASSWD_NOTREQD 0x00000020
#define SMB_ADS_USER_ACCT_CTL_PASSWD_CANT_CHANGE 0x00000040
#define SMB_ADS_USER_ACCT_CTL_ENCRYPTED_TEXT_PWD_ALLOWED 0x00000080
#define SMB_ADS_USER_ACCT_CTL_TMP_DUP_ACCT 0x00000100
#define SMB_ADS_USER_ACCT_CTL_NORMAL_ACCT 0x00000200
#define SMB_ADS_USER_ACCT_CTL_INTERDOMAIN_TRUST_ACCT 0x00000800
#define SMB_ADS_USER_ACCT_CTL_WKSTATION_TRUST_ACCT 0x00001000
#define SMB_ADS_USER_ACCT_CTL_SRV_TRUST_ACCT 0x00002000
#define SMB_ADS_USER_ACCT_CTL_DONT_EXPIRE_PASSWD 0x00010000
#define SMB_ADS_USER_ACCT_CTL_MNS_LOGON_ACCT 0x00020000
#define SMB_ADS_USER_ACCT_CTL_SMARTCARD_REQUIRED 0x00040000
#define SMB_ADS_USER_ACCT_CTL_TRUSTED_FOR_DELEGATION 0x00080000
#define SMB_ADS_USER_ACCT_CTL_NOT_DELEGATED 0x00100000
#define SMB_ADS_USER_ACCT_CTL_USE_DES_KEY_ONLY 0x00200000
#define SMB_ADS_USER_ACCT_CTL_DONT_REQ_PREAUTH 0x00400000
#define SMB_ADS_USER_ACCT_CTL_PASSWD_EXPIRED 0x00800000
#define SMB_ADS_USER_ACCT_CTL_TRUSTED_TO_AUTH_FOR_DELEGATION 0x01000000
/*
* Length of "dc=" prefix.
*/
#define SMB_ADS_DN_PREFIX_LEN 3
static char *smb_ads_computer_objcls[] = {
"top", "person", "organizationalPerson",
};
static char *smb_ads_share_objcls[] = {
};
/* Cached ADS server to communicate with */
static mutex_t smb_ads_cached_host_mtx;
/*
* SMB ADS config cache is maintained to facilitate the detection of
* changes in configuration that is relevant to AD selection.
*/
typedef struct smb_ads_config {
char c_site[SMB_ADS_SITE_MAX];
static smb_ads_config_t smb_ads_cfg;
typedef struct smb_ads_avpair {
char *avp_attr;
char *avp_val;
/* query status */
typedef enum smb_ads_qstat {
SMB_ADS_STAT_ERR = -2,
typedef struct smb_ads_host_list {
int ah_cnt;
static smb_ads_handle_t *smb_ads_open_main(char *, char *, char *);
static int smb_ads_add_computer(smb_ads_handle_t *, int, char *);
static int smb_ads_modify_computer(smb_ads_handle_t *, int, char *);
static int smb_ads_computer_op(smb_ads_handle_t *, int, int, char *);
smb_ads_avpair_t *, int, char *);
static int smb_ads_update_computer_cntrl_attr(smb_ads_handle_t *, int, char *);
static int smb_ads_gen_machine_passwd(char *, size_t);
static void smb_ads_free_cached_host(void);
static int smb_ads_alloc_attr(LDAPMod **, int);
static void smb_ads_free_attr(LDAPMod **);
static int smb_ads_get_dc_level(smb_ads_handle_t *);
smb_ads_avpair_t *);
smb_ads_avpair_t *);
static boolean_t smb_ads_is_same_domain(char *, char *);
static boolean_t smb_ads_is_pdc_configured(void);
static char *smb_ads_get_sharedn(const char *, const char *, const char *);
static krb5_enctype *smb_ads_get_enctypes(int, int *);
/*
* smb_ads_init
*
* Initializes the ADS config cache.
*/
void
smb_ads_init(void)
{
(void) smb_config_getstr(SMB_CI_ADS_SITE,
}
void
smb_ads_fini(void)
{
}
/*
* smb_ads_refresh
*
* Clearing the smb_ads_cached_host_info would allow the next DC
* discovery process to pick up an AD based on the new AD configuration.
*/
void
smb_ads_refresh(void)
{
char new_site[SMB_ADS_SITE_MAX];
}
(void) mutex_lock(&smb_ads_cached_host_mtx);
if (smb_ads_cached_host_info &&
(void) mutex_unlock(&smb_ads_cached_host_mtx);
if (purge)
}
static boolean_t
{
return (configured);
}
/*
* smb_ads_build_unc_name
*
* Construct the UNC name of the share object in the format of
* \\hostname.domain\shareUNC
*
* Returns 0 on success, -1 on error.
*/
int
{
char my_domain[MAXHOSTNAMELEN];
return (-1);
return (0);
}
/*
* smb_ads_ldap_ping
*
* This is used to bind to an ADS server to see
* if it is still alive.
*
* Returns:
* -1: error
* 0: successful
*/
/*ARGSUSED*/
static int
{
return (-1);
if (status != LDAP_SUCCESS) {
(void) ldap_unbind(ld);
return (-1);
}
(void) ldap_unbind(ld);
return (0);
}
/*
* The cached ADS host is no longer valid if one of the following criteria
* is satisfied:
*
* 1) not in the specified domain
* 2) not the sought host (if specified)
* 3) not reachable
*
* The caller is responsible for acquiring the smb_ads_cached_host_mtx lock
* prior to calling this function.
*
* Return B_TRUE if the cache host is still valid. Otherwise, return B_FALSE.
*/
static boolean_t
{
if (!smb_ads_cached_host_info)
return (B_FALSE);
return (B_FALSE);
if (smb_ads_ldap_ping(smb_ads_cached_host_info) == 0) {
if (!srv)
return (B_TRUE);
return (B_TRUE);
}
return (B_FALSE);
}
/*
* smb_ads_is_sought_host
*
* Returns true, if the sought host name matches the input host (host) name.
* The sought host is expected to be in Fully Qualified Domain Name (FQDN)
* format.
*/
static boolean_t
{
return (B_FALSE);
return (B_FALSE);
return (B_TRUE);
}
/*
* smb_ads_match_hosts_same_domain
*
* Returns true, if the cached ADS host is in the same domain as the
* current (given) domain.
*/
static boolean_t
{
char *cached_host_domain;
return (B_FALSE);
if (cached_host_domain == NULL)
return (B_FALSE);
return (B_FALSE);
return (B_TRUE);
}
/*
* smb_ads_skip_ques_sec
* Skips the question section.
*/
static int
{
int i, len;
for (i = 0; i < qcnt; i++) {
return (-1);
}
return (0);
}
/*
* smb_ads_decode_host_ans_sec
* Decodes ADS hosts, priority, weight and port number from the answer
* section based on the current buffer pointer.
*/
static int
{
int i, len;
for (i = 0; i < ans_cnt; i++) {
ads_host = &ads_host_list[i];
return (-1);
/* skip type, class, ttl */
*ptr += 8;
/* data size */
*ptr += 2;
/* Get priority, weight */
/* LINTED: E_CONSTANT_CONDITION */
/* LINTED: E_CONSTANT_CONDITION */
/* port */
/* LINTED: E_CONSTANT_CONDITION */
/* domain name */
if (len < 0)
return (-1);
}
return (0);
}
/*
* smb_ads_skip_auth_sec
* Skips the authority section.
*/
static int
{
int i, len;
for (i = 0; i < ns_cnt; i++) {
return (-1);
/* skip type, class, ttl */
*ptr += 8;
/* get len of data */
/* LINTED: E_CONSTANT_CONDITION */
return (-1);
}
return (0);
}
/*
* smb_ads_decode_host_ip
*
* Decodes ADS hosts and IP Addresses from the additional section based
* on the current buffer pointer.
*/
static int
{
int i, j, len;
char hostname[MAXHOSTNAMELEN];
char *name;
for (i = 0; i < addit_cnt; i++) {
/* domain name */
if (len < 0)
return (-1);
/* skip type, class, TTL, data len */
*ptr += 8;
/* LINTED: E_CONSTANT_CONDITION */
/* LINTED: E_CONSTANT_CONDITION */
#ifdef BIG_ENDIAN
#else
for (i = 0; i < IN6ADDRSZ; i++)
#endif
}
/*
* find the host in the list of DC records from
* the answer section, that matches the host in the
* additional section, and set its IP address.
*/
for (j = 0; j < ans_cnt; j++) {
continue;
}
}
}
return (0);
}
/*
* smb_ads_dup_host_info
*
* Duplicates the passed smb_ads_host_info_t structure.
* Caller must free memory allocated by this method.
*
* Returns a reference to the duplicated smb_ads_host_info_t structure.
* Returns NULL on error.
*/
static smb_ads_host_info_t *
{
return (NULL);
return (dup_host);
}
/*
* smb_ads_hlist_alloc
*/
static smb_ads_host_list_t *
smb_ads_hlist_alloc(int count)
{
int size;
if (count == 0)
return (NULL);
return (NULL);
return (NULL);
}
return (hlist);
}
/*
* smb_ads_hlist_free
*/
static void
{
return;
}
/*
* smb_ads_query_dns_server
*
* This routine sends a DNS service location (SRV) query message to the
* DNS server via TCP to query it for a list of ADS server(s). Once a reply
* is received, the reply message is parsed to get the hostname. If there are IP
* addresses populated in the additional section then the additional section
* is parsed to obtain the IP addresses.
*
* The service location of _ldap._tcp.dc.msdcs.<ADS domain> is used to
* guarantee that Microsoft domain controllers are returned. Microsoft domain
* controllers are also ADS servers.
*
* The ADS hostnames are stored in the answer section of the DNS reply message.
* The IP addresses are stored in the additional section.
*
* The DNS reply message may be in compress formed. The compression is done
* on repeating domain name label in the message. i.e hostname.
*
* Upon successful completion, host list of ADS server(s) is returned.
*/
static smb_ads_host_list_t *
{
struct __res_state res_state;
union {
} msg;
return (NULL);
/* use TCP */
if (len < 0) {
return (NULL);
}
"DNS query for %s failed: too big", msdcs_svc_name);
return (NULL);
}
/* parse the reply, skip header and question sections */
/* check truncated message bit */
"DNS query for %s failed: truncated", msdcs_svc_name);
return (NULL);
}
return (NULL);
}
/* walk through the answer section */
return (NULL);
}
/* check authority section */
if (ns_cnt > 0) {
return (NULL);
}
}
/*
* Check additional section to get IP address of ADS host.
*/
if (addit_cnt > 0) {
return (NULL);
}
}
return (hlist);
}
/*
* smb_ads_get_site_service
*
* Gets the msdcs SRV RR for the specified site.
*/
static void
{
*site_service = '\0';
else
}
/*
* smb_ads_getipnodebyname
*
* This method gets the IP address by doing a host name lookup.
*/
static int
{
struct hostent *h;
int error;
case AF_INET6:
AI_DEFAULT, &error);
return (-1);
break;
case AF_INET:
0, &error);
return (-1);
break;
default:
return (-1);
}
freehostent(h);
return (0);
}
/*
* Checks the IP address to see if it is zero. If so, then do a host
* lookup by hostname to get the IP address based on the IP family.
*
* If the family is unknown then do a lookup by hostame based on the
* setting of the SMB_CI_IPV6_ENABLE property.
*/
static int
{
if (smb_ads_getipnodebyname(hentry) < 0)
return (-1);
} else if (SMB_ADS_AF_UNKNOWN(hentry)) {
if (smb_ads_getipnodebyname(hentry) < 0) {
return (-1);
}
}
return (0);
}
/*
* smb_ads_find_host
*
* Finds an ADS host in a given domain.
*
* If the cached host is valid, it will be used. Otherwise, a DC will
* be selected based on the following criteria:
*
* 1) pdc (aka preferred DC) configuration
* 2) AD site configuration - the scope of the DNS lookup will be
* restricted to the specified site.
* 3) DC on the same subnet
*
* The above items are listed in decreasing preference order. The selected
* DC must be online.
*
* If this function is called during domain join, the specified kpasswd server
* takes precedence over preferred DC, AD site, and so on.
*
* Parameters:
* domain: fully-qualified domain name.
* kpasswd_srv: fully-quailifed hostname of the kpasswd server.
*
* Returns:
* A copy of the cached host info is returned. The caller is responsible
* for deallocating the memory returned by this function.
*/
/*ARGSUSED*/
{
int i;
char site_service[MAXHOSTNAMELEN];
kpasswd_srv = NULL;
(void) mutex_lock(&smb_ads_cached_host_mtx);
(void) mutex_unlock(&smb_ads_cached_host_mtx);
return (host);
}
(void) mutex_unlock(&smb_ads_cached_host_mtx);
/*
* First look for ADS hosts in ADS site if configured. Then try
* without ADS site info.
*/
/*
* If we're given an AD, the DNS SRV RR lookup should not be restricted
* to the specified site since there is no guarantee that the specified
* AD is in the specified site.
*/
if (!hlist)
return (NULL);
if (smb_ads_set_ipaddr(&hlistp[i]) < 0)
continue;
found_kpasswd_srv = &hlistp[i];
if (smb_ads_match_pdc(&hlistp[i]))
}
goto update_cache;
}
goto update_cache;
}
/*
* If the specified DC (kpasswd_srv or pdc) is not found, fallback
* to find a DC in the specified AD site.
*/
if (*site_service != '\0' &&
(kpasswd_srv || smb_ads_is_pdc_configured())) {
(void) smb_ads_set_ipaddr(&hlistp[i]);
}
}
/* Select DC from DC list */
if (host) {
(void) mutex_lock(&smb_ads_cached_host_mtx);
if (!smb_ads_cached_host_info)
(void) mutex_unlock(&smb_ads_cached_host_mtx);
}
return (host);
}
/*
* Return the number of dots in a string.
*/
static int
smb_ads_count_dots(const char *s)
{
int ndots = 0;
while (*s) {
if (*s++ == '.')
ndots++;
}
return (ndots);
}
/*
* Convert a domain name in dot notation to distinguished name format,
* for example: sun.com -> dc=sun,dc=com.
*
* Returns a pointer to an allocated buffer containing the distinguished
* name.
*/
static char *
smb_ads_convert_domain(const char *domain_name)
{
const char *s;
char *dn_name;
char buf[2];
int ndots;
int len;
return (NULL);
++ndots;
return (NULL);
s = domain_name;
while (*s) {
if (*s == '.') {
} else {
buf[0] = *s;
}
++s;
}
return (dn_name);
}
/*
* smb_ads_free_cached_host
*
* Free the memory use by the global smb_ads_cached_host_info & set it to NULL.
*/
static void
smb_ads_free_cached_host(void)
{
(void) mutex_lock(&smb_ads_cached_host_mtx);
if (smb_ads_cached_host_info) {
}
(void) mutex_unlock(&smb_ads_cached_host_mtx);
}
/*
* smb_ads_open
* Open a LDAP connection to an ADS server if the system is in domain mode.
* Acquire both Kerberos TGT and LDAP service tickets for the host principal.
*
* This function should only be called after the system is successfully joined
* to a domain.
*/
smb_ads_open(void)
{
char domain[MAXHOSTNAMELEN];
if (smb_config_get_secmode() != SMB_SECMODE_DOMAIN)
return (NULL);
return (NULL);
}
static int
{
return (LDAP_PARAM_ERROR);
interact++) {
}
return (LDAP_SUCCESS);
}
/*
* smb_ads_open_main
* Open a LDAP connection to an ADS server.
* If ADS is enabled and the administrative username, password, and
* ADS domain are defined then query DNS to find an ADS server if this is the
* very first call to this routine. After an ADS server is found then this
* server will be used everytime this routine is called until the system is
* rebooted or the ADS server becomes unavailable then an ADS server will
* be queried again. After the connection is made then an ADS handle
* is created to be returned.
*
* After the LDAP connection, the LDAP version will be set to 3 using
* ldap_set_option().
*
* The LDAP connection is bound before the ADS handle is returned.
* Parameters:
* domain - fully-qualified domain name
* user - the user account for whom the Kerberos TGT ticket and ADS
* service tickets are acquired.
* password - password of the specified user
*
* Returns:
* NULL : can't connect to ADS server or other errors
* smb_ads_handle_t* : handle to ADS server
*/
static smb_ads_handle_t *
{
int version = 3;
int rc;
return (NULL);
}
return (NULL);
return (NULL);
}
return (NULL);
}
!= LDAP_SUCCESS) {
(void) ldap_unbind(ld);
return (NULL);
}
return (NULL);
}
/*
* ah->domain is often used for generating service principal name.
* Convert it to lower case for RFC 4120 section 6.2.1 conformance.
*/
return (NULL);
}
return (NULL);
}
return (NULL);
}
} else {
}
if (rc != LDAP_SUCCESS) {
return (NULL);
}
return (ah);
}
/*
* smb_ads_close
* Close connection to ADS server and free memory allocated for ADS handle.
* LDAP unbind is called here.
* Parameters:
* ah: handle to ADS server
* Returns:
* void
*/
void
{
return;
/* close and free connection resources */
}
/*
* smb_ads_alloc_attr
*
* Since the attrs is a null-terminated array, all elements
* in the array (except the last one) will point to allocated
* memory.
*/
static int
{
int i;
for (i = 0; i < (num - 1); i++) {
return (-1);
}
}
return (0);
}
/*
* smb_ads_free_attr
* Free memory allocated when publishing a share.
* Parameters:
* attrs: an array of LDAPMod pointers
* Returns:
* None
*/
static void
{
int i;
for (i = 0; attrs[i]; i++) {
}
}
/*
* Returns share DN in an allocated buffer. The format of the DN is
* cn=<sharename>,<container RDNs>,<domain DN>
*
* If the domain DN is not included in the container parameter,
* then it will be appended to create the share DN.
*
* The caller must free the allocated buffer.
*/
static char *
const char *domain_dn)
{
char *share_dn;
if (container_len >= domain_len) {
/* offset to last domain_len characters */
domain_dn, domain_len) == 0)
}
if (append_domain)
else
}
/*
* smb_ads_add_share
* Call by smb_ads_publish_share to create share object in ADS.
* This routine specifies the attributes of an ADS LDAP share object. The first
* attribute and values define the type of ADS object, the share object. The
* second attribute and value define the UNC of the share data for the share
* object. The LDAP synchronous add command is used to add the object into ADS.
* The container location to add the object needs to specified.
* Parameters:
* ah : handle to ADS server
* adsShareName: name of share object to be created in ADS
* shareUNC : share name on NetForce
* adsContainer: location in ADS to create share object
*
* Returns:
* -1 : error
* 0 : success
*/
int
const char *unc_name, const char *adsContainer)
{
int j = 0;
char *share_dn;
int ret;
return (-1);
return (-1);
}
if (ret == LDAP_NO_SUCH_OBJECT) {
" AD. Container does not exist: %s.\n",
} else {
}
return (ret);
}
return (0);
}
/*
* smb_ads_del_share
* Call by smb_ads_remove_share to remove share object from ADS. The container
* location to remove the object needs to specified. The LDAP synchronous
* delete command is used.
* Parameters:
* ah : handle to ADS server
* adsShareName: name of share object in ADS to be removed
* adsContainer: location of share object in ADS
* Returns:
* -1 : error
* 0 : success
*/
static int
const char *adsContainer)
{
char *share_dn;
int ret;
return (-1);
return (-1);
}
return (0);
}
/*
* smb_ads_escape_search_filter_chars
*
* This routine will escape the special characters found in a string
* that will later be passed to the ldap search filter.
*
* RFC 1960 - A String Representation of LDAP Search Filters
* 3. String Search Filter Definition
* If a value must contain one of the characters '*' OR '(' OR ')',
* these characters
* should be escaped by preceding them with the backslash '\' character.
*
* RFC 2252 - LDAP Attribute Syntax Definitions
* a backslash quoting mechanism is used to escape
* the following separator symbol character (such as "'", "$" or "#") if
* it should occur in that string.
*/
static int
{
return (-1);
while (*src) {
if (!avail) {
*dst = 0;
return (-1);
}
switch (*src) {
case '\\':
case '\'':
case '$':
case '#':
case '*':
case '(':
case ')':
*dst++ = '\\';
avail--;
/* fall through */
default:
avail--;
}
}
*dst = 0;
return (0);
}
/*
* smb_ads_lookup_share
* The search filter is set to search for a specific share name in the
* specified ADS container. The LDSAP synchronous search command is used.
* Parameters:
* ah : handle to ADS server
* adsShareName: name of share object in ADS to be searched
* adsContainer: location of share object in ADS
* Returns:
* -1 : error
* 0 : not found
* 1 : found
*/
int
const char *adsContainer, char *unc_name)
{
char *share_dn;
int ret;
char tmpbuf[SMB_ADS_MAXBUFLEN];
return (-1);
return (-1);
attrs[0] = "cn";
return (-1);
}
"(&(objectClass=volume)(uNCName=%s))", tmpbuf);
if (ret != LDAP_NO_SUCH_OBJECT)
(void) ldap_msgfree(res);
return (0);
}
/* no match is found */
(void) ldap_msgfree(res);
return (0);
}
/* free the search results */
(void) ldap_msgfree(res);
return (1);
}
/*
* smb_ads_publish_share
* Publish share into ADS. If a share name already exist in ADS in the same
* container then the existing share object is removed before adding the new
* share object.
* Parameters:
* ah : handle return from smb_ads_open
* adsShareName: name of share to be added to ADS directory
* shareUNC : name of share on client, can be NULL to use the same name
* as adsShareName
* adsContainer: location for share to be added in ADS directory, ie
* ou=share_folder
* uncType : use UNC_HOSTNAME to use hostname for UNC, use UNC_HOSTADDR
* to use host ip addr for UNC.
* Returns:
* -1 : error
* 0 : success
*/
int
{
int ret;
char unc_name[SMB_ADS_MAXBUFLEN];
return (-1);
return (-1);
switch (ret) {
case 1:
break;
case 0:
if (ret == LDAP_ALREADY_EXISTS)
ret = -1;
break;
case -1:
default:
/* return with error code */
ret = -1;
}
return (ret);
}
/*
* smb_ads_remove_share
* Remove share from ADS. A search is done first before explicitly removing
* the share.
* Parameters:
* ah : handle return from smb_ads_open
* adsShareName: name of share to be removed from ADS directory
* adsContainer: location for share to be removed from ADS directory, ie
* ou=share_folder
* Returns:
* -1 : error
* 0 : success
*/
int
{
int ret;
char unc_name[SMB_ADS_MAXBUFLEN];
return (-1);
return (-1);
if (ret == 0)
return (0);
if (ret == -1)
return (-1);
}
/*
* smb_ads_get_default_comp_container_dn
*
* Build the distinguished name for the default computer conatiner (i.e. the
* pre-defined Computers container).
*/
static void
{
}
/*
* smb_ads_get_default_comp_dn
*
* Build the distinguished name for this system.
*/
static void
{
char nbname[NETBIOS_NAME_SZ];
char container_dn[SMB_ADS_DN_MAX];
}
/*
* smb_ads_add_computer
*
* Returns 0 upon success. Otherwise, returns -1.
*/
static int
{
}
/*
* smb_ads_modify_computer
*
* Returns 0 upon success. Otherwise, returns -1.
*/
static int
{
}
/*
* smb_ads_get_dc_level
*
* Returns the functional level of the DC upon success.
* Otherwise, -1 is returned.
*/
static int
{
char *attr[2];
char **vals;
int rc = -1;
attr[0] = SMB_ADS_ATTR_DCLEVEL;
0, &res) != LDAP_SUCCESS) {
(void) ldap_msgfree(res);
return (-1);
}
/* no match for the specified attribute is found */
(void) ldap_msgfree(res);
return (-1);
}
if (entry) {
SMB_ADS_ATTR_DCLEVEL)) == NULL) {
/*
* Observed the values aren't populated
* by the Windows 2000 server.
*/
(void) ldap_msgfree(res);
return (SMB_ADS_DCLEVEL_W2K);
}
}
(void) ldap_msgfree(res);
return (rc);
}
/*
* The fully-qualified hostname returned by this function is often used for
* constructing service principal name. Return the fully-qualified hostname
* in lower case for RFC 4120 section 6.2.1 conformance.
*/
static int
{
return (-1);
return (0);
}
static int
{
char *sam_val[2];
char *encrypt_val[2];
int j = -1;
int ret, usrctl_flags = 0;
char sam_acct[SMB_SAMACCT_MAXLEN];
char fqhost[MAXHOSTNAMELEN];
char usrctl_buf[16];
char encrypt_buf[16];
int max;
return (-1);
return (-1);
/* The SPN attribute is multi-valued and must be 1 or greater */
return (-1);
/* The UPN attribute is single-valued and cannot be zero */
return (-1);
}
return (-1);
}
/* objectClass attribute is not modifiable. */
if (op == LDAP_MOD_ADD) {
}
sam_val[1] = 0;
ctl_val[0] = usrctl_buf;
ctl_val[1] = 0;
fqh_val[1] = 0;
/* enctypes support starting in Windows Server 2008 */
if (dclevel > SMB_ADS_DCLEVEL_W2K3) {
encrypt_val[0] = encrypt_buf;
encrypt_val[1] = 0;
}
switch (op) {
case LDAP_MOD_ADD:
ret = -1;
}
break;
case LDAP_MOD_REPLACE:
ret = -1;
}
break;
default:
ret = -1;
}
return (ret);
}
/*
* Delete an ADS computer account.
*/
static void
{
int rc;
}
/*
* Gets the value of the given attribute.
*/
static smb_ads_qstat_t
{
char **vals;
if (!vals)
return (SMB_ADS_STAT_NOT_FOUND);
if (!vals[0]) {
return (SMB_ADS_STAT_NOT_FOUND);
}
return (rc);
}
/*
* Process query's result.
*/
static smb_ads_qstat_t
{
char fqhost[MAXHOSTNAMELEN];
return (SMB_ADS_STAT_ERR);
return (SMB_ADS_STAT_NOT_FOUND);
return (SMB_ADS_STAT_ERR);
switch (rc) {
case SMB_ADS_STAT_FOUND:
/*
* Returns SMB_ADS_STAT_DUP to avoid overwriting
* the computer account of another system whose
* NetBIOS name collides with that of the current
* system.
*/
break;
case SMB_ADS_STAT_NOT_FOUND:
/*
* Pre-created computer account doesn't have
* the dNSHostname attribute. It's been observed
* that the dNSHostname attribute is only set after
* a successful domain join.
* Returns SMB_ADS_STAT_FOUND as the account is
* pre-created for the current system.
*/
break;
default:
break;
}
if (rc != SMB_ADS_STAT_FOUND)
return (rc);
if (avpair)
return (rc);
}
/*
* smb_ads_lookup_computer_n_attr
*
* If avpair is NULL, checks the status of the specified computer account.
* Otherwise, looks up the value of the specified computer account's attribute.
* If found, the value field of the avpair will be allocated and set. The
* caller should free the allocated buffer.
*
* Return:
* SMB_ADS_STAT_FOUND - if both the computer and the specified attribute is
* found.
* SMB_ADS_STAT_NOT_FOUND - if either the computer or the specified attribute
* is not found.
* SMB_ADS_STAT_DUP - if the computer account is already used by other systems
* in the AD. This could happen if the hostname of multiple
* systems resolved to the same NetBIOS name.
* SMB_ADS_STAT_ERR - any failure.
*/
static smb_ads_qstat_t
{
return (SMB_ADS_STAT_ERR);
attrs[0] = SMB_ADS_ATTR_DNSHOST;
if (avpair) {
return (SMB_ADS_STAT_ERR);
}
return (SMB_ADS_STAT_ERR);
"(&(objectClass=computer)(%s=%s))", SMB_ADS_ATTR_SAMACCT,
&res) != LDAP_SUCCESS) {
(void) ldap_msgfree(res);
return (SMB_ADS_STAT_NOT_FOUND);
}
/* free the search results */
(void) ldap_msgfree(res);
return (rc);
}
/*
* smb_ads_find_computer
*
* Starts by searching for the system's AD computer object in the default
* container (i.e. cn=Computers). If not found, searches the entire directory.
* If found, 'dn' will be set to the distinguished name of the system's AD
* computer object.
*/
static smb_ads_qstat_t
{
dn);
if (stat == SMB_ADS_STAT_NOT_FOUND) {
}
if (stat == SMB_ADS_STAT_FOUND) {
}
return (stat);
}
/*
* smb_ads_update_computer_cntrl_attr
*
* Modify the user account control attribute of an existing computer
* object on AD.
*
* Returns LDAP error code.
*/
static int
{
char *ctl_val[2];
int ret = 0;
char usrctl_buf[16];
return (LDAP_NO_MEMORY);
ctl_val[0] = usrctl_buf;
ctl_val[1] = 0;
}
return (ret);
}
/*
* smb_ads_lookup_computer_attr_kvno
*
* Lookup the value of the Kerberos version number attribute of the computer
* account.
*/
static krb5_kvno
{
int kvno = 1;
}
return (kvno);
}
static int
{
int i;
errno = 0;
return (-1);
}
if (random_bytes == NULL)
return (-1);
return (-1);
}
for (i = 0; i < pwdlen; i++)
machine_passwd[pwdlen] = 0;
return (0);
}
/*
* smb_ads_join
*
* Besides the NT-4 style domain join (using MS-RPC), CIFS server also
* provides the domain join using Kerberos Authentication, Keberos
* Change & Set password, and LDAP protocols. Basically, AD join
* operation would require the following tickets to be acquired for the
* the user account that is provided for the domain join.
*
* 1) a Keberos TGT ticket,
* 2) a ldap service ticket, and
*
* The ADS client first sends a ldap search request to find out whether
* or not the workstation trust account already exists in the Active Directory.
* The existing computer object for this workstation will be removed and
* a new one will be added. The machine account password is randomly
* generated and set for the newly created computer object using KPASSWD
* protocol (See RFC 3244). Once the password is set, our ADS client
* finalizes the machine account by modifying the user acount control
* attribute of the computer object. Kerberos keys derived from the machine
* account password will be stored locally in /etc/krb5/krb5.keytab file.
* That would be needed while acquiring Kerberos TGT ticket for the host
* principal after the domain join operation.
*/
{
char dn[SMB_ADS_DN_MAX];
char tmpfile[] = SMBNS_KRB5_KEYTAB_TMP;
int cnt;
return (SMB_ADJOIN_ERR_GET_HANDLE);
}
return (SMB_ADJOIN_ERR_GEN_PWD);
}
return (SMB_ADJOIN_ERR_GET_DCLEVEL);
}
switch (qstat) {
case SMB_ADS_STAT_FOUND:
return (SMB_ADJOIN_ERR_MOD_TRUST_ACCT);
}
break;
case SMB_ADS_STAT_NOT_FOUND:
return (SMB_ADJOIN_ERR_ADD_TRUST_ACCT);
}
break;
default:
if (qstat == SMB_ADS_STAT_DUP)
else
return (rc);
}
if (smb_krb5_ctx_init(&ctx) != 0) {
goto adjoin_cleanup;
}
goto adjoin_cleanup;
}
!= 0) {
goto adjoin_cleanup;
}
goto adjoin_cleanup;
}
/*
* Only members of Domain Admins and Enterprise Admins can set
* the TRUSTED_FOR_DELEGATION userAccountControl flag.
*/
== LDAP_INSUFFICIENT_ACCESS) {
"TRUSTED_FOR_DELEGATION userAccountControl flag on "
"the machine account in Active Directory. Please refer "
"to the Troubleshooting guide for more information.");
} else {
}
if (des_only)
!= 0) {
goto adjoin_cleanup;
}
goto adjoin_cleanup;
}
goto adjoin_cleanup;
}
if (rc != SMB_ADJOIN_ERR_INIT_KRB_CTX) {
if (rc != SMB_ADJOIN_ERR_GET_SPNS)
}
/* commit keytab file */
if (rc == SMB_ADJOIN_SUCCESS) {
} else {
/* Set IDMAP config */
} else {
/* Refresh IDMAP service */
if (smb_config_refresh_idmap() != 0)
}
}
} else {
}
return (rc);
}
/*
* smb_ads_join_errmsg
*
* Display error message for the specific adjoin error code.
*/
void
{
int i;
struct xlate_table {
char *msg;
} adjoin_table[] = {
{ SMB_ADJOIN_ERR_GET_HANDLE, "Failed to connect to an "
"Active Directory server." },
{ SMB_ADJOIN_ERR_GEN_PWD, "Failed to generate machine "
"password." },
{ SMB_ADJOIN_ERR_GET_DCLEVEL, "Unknown functional level of "
"the domain controller. The rootDSE attribute named "
"\"domainControllerFunctionality\" is missing from the "
"Active Directory." },
{ SMB_ADJOIN_ERR_ADD_TRUST_ACCT, "Failed to create the "
"workstation trust account." },
{ SMB_ADJOIN_ERR_MOD_TRUST_ACCT, "Failed to modify the "
"workstation trust account." },
{ SMB_ADJOIN_ERR_DUP_TRUST_ACCT, "Failed to create the "
"workstation trust account because its name is already "
"in use." },
{ SMB_ADJOIN_ERR_TRUST_ACCT, "Error in querying the "
"workstation trust account" },
{ SMB_ADJOIN_ERR_INIT_KRB_CTX, "Failed to initialize Kerberos "
"context." },
{ SMB_ADJOIN_ERR_GET_SPNS, "Failed to get Kerberos "
"principals." },
{ SMB_ADJOIN_ERR_KSETPWD, "Failed to set machine password." },
{ SMB_ADJOIN_ERR_UPDATE_CNTRL_ATTR, "Failed to modify "
"userAccountControl attribute of the workstation trust "
"account." },
{ SMB_ADJOIN_ERR_WRITE_KEYTAB, "Error in writing to local "
"keytab file (i.e /etc/krb5/krb5.keytab)." },
{ SMB_ADJOIN_ERR_IDMAP_SET_DOMAIN, "Failed to update idmap "
"configuration." },
{ SMB_ADJOIN_ERR_IDMAP_REFRESH, "Failed to refresh idmap "
"service." },
{ SMB_ADJOIN_ERR_COMMIT_KEYTAB, "Failed to commit changes to "
"local keytab file (i.e. /etc/krb5/krb5.keytab)." }
};
for (i = 0; i < sizeof (adjoin_table) / sizeof (adjoin_table[0]); i++) {
}
}
/*
* smb_ads_match_pdc
*
* Returns B_TRUE if the given host's IP address matches the preferred DC's
* IP address. Otherwise, returns B_FALSE.
*/
static boolean_t
{
if (!host)
return (match);
return (match);
}
/*
* smb_ads_select_dcfromsubnet
*
* This method walks the list of DCs and returns the first DC record that
* responds to ldap ping and is in the same subnet as the host.
*
* Returns a pointer to the found DC record.
* Returns NULL, on error or if no DC record is found.
*/
static smb_ads_host_info_t *
{
int i;
return (NULL);
do {
for (i = 0; i < cnt; i++) {
if (smb_ads_ldap_ping(hentry) == 0)
return (hentry);
}
}
return (NULL);
}
/*
* smb_ads_select_dcfromlist
*
* This method walks the list of DCs and returns the first DC that
* responds to ldap ping.
*
* Returns a pointer to the found DC record.
* Returns NULL if no DC record is found.
*/
static smb_ads_host_info_t *
{
int i;
for (i = 0; i < cnt; i++) {
if (smb_ads_ldap_ping(hentry) == 0)
return (hentry);
}
return (NULL);
}
/*
* smb_ads_dc_compare
*
* Comparision function for sorting host entries (SRV records of DC) via qsort.
* RFC 2052/2782 are taken as reference, while implementing this algorithm.
*
* Domain Controllers(DCs) with lowest priority in their SRV DNS records
* are selected first. If they have equal priorities, then DC with highest
* weight in its SRV DNS record is selected. If the priority and weight are
* both equal, then the DC at the top of the list is selected.
*/
static int
smb_ads_dc_compare(const void *p, const void *q)
{
return (-1);
return (1);
/* Priorities are equal */
return (1);
return (-1);
return (0);
}
/*
* smb_ads_select_dc
*
* The list of ADS hosts returned by ADS lookup, is sorted by lowest priority
* and highest weight. On this sorted list, following additional rules are
* applied, to select a DC.
*
* - If there is a DC in the same subnet, then return the DC,
* if it responds to ldap ping.
* - Else, return first DC that responds to ldap ping.
*
* A reference to the host entry from input host list is returned.
*
* Returns NULL on error.
*/
static smb_ads_host_info_t *
{
return (NULL);
if (smb_ads_ldap_ping(hentry) == 0)
return (hentry);
}
/* Sort the list by priority and weight */
sizeof (smb_ads_host_info_t), smb_ads_dc_compare);
return (hentry);
return (hentry);
return (NULL);
}
/*
* smb_ads_lookup_msdcs
*
* If server argument is set, try to locate the specified DC.
* If it is set to empty string, locate any DCs in the specified domain.
* Returns the discovered DC via buf.
*
* fqdn - fully-qualified domain name
* server - fully-qualifed hostname of a DC
* buf - the hostname of the discovered DC
*/
{
char *p;
char *sought_host;
char ipstr[INET6_ADDRSTRLEN];
return (B_FALSE);
ipstr[0] = '\0';
*buf = '\0';
return (B_FALSE);
/*
* Remove the domain extension
*/
*p = '\0';
return (B_TRUE);
}
static krb5_enctype *
{
if (dclevel >= SMB_ADS_DCLEVEL_W2K8) {
} else {
}
return (encptr);
}