libsmbns/common/smbns_ads.c

da6c28aaSamw/*
da6c28aaSamw * CDDL HEADER START
da6c28aaSamw *
da6c28aaSamw * The contents of this file are subject to the terms of the
da6c28aaSamw * Common Development and Distribution License (the "License").
da6c28aaSamw * You may not use this file except in compliance with the License.
da6c28aaSamw *
da6c28aaSamw * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
da6c28aaSamw * or http://www.opensolaris.org/os/licensing.
da6c28aaSamw * See the License for the specific language governing permissions
da6c28aaSamw * and limitations under the License.
da6c28aaSamw *
da6c28aaSamw * When distributing Covered Code, include this CDDL HEADER in each
da6c28aaSamw * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
da6c28aaSamw * If applicable, add the following below this CDDL HEADER, with the
da6c28aaSamw * fields enclosed by brackets "[]" replaced with your own identifying
da6c28aaSamw * information: Portions Copyright [yyyy] [name of copyright owner]
da6c28aaSamw *
da6c28aaSamw * CDDL HEADER END
da6c28aaSamw */
da6c28aaSamw/*
c5866007SKeyur Desai * Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved.
1ed6b69aSGordon Ross * Copyright 2013 Nexenta Systems, Inc.  All rights reserved.
da6c28aaSamw */
da6c28aaSamw
da6c28aaSamw#include <sys/param.h>
da6c28aaSamw#include <ldap.h>
da6c28aaSamw#include <stdlib.h>
da6c28aaSamw#include <sys/types.h>
da6c28aaSamw#include <sys/socket.h>
da6c28aaSamw#include <netinet/in.h>
da6c28aaSamw#include <arpa/inet.h>
da6c28aaSamw#include <sys/time.h>
da6c28aaSamw#include <netdb.h>
da6c28aaSamw#include <pthread.h>
da6c28aaSamw#include <unistd.h>
da6c28aaSamw#include <arpa/nameser.h>
da6c28aaSamw#include <resolv.h>
da6c28aaSamw#include <sys/synch.h>
da6c28aaSamw#include <string.h>
da6c28aaSamw#include <strings.h>
da6c28aaSamw#include <fcntl.h>
da6c28aaSamw#include <sys/types.h>
da6c28aaSamw#include <sys/stat.h>
b89a8333Snatalie li - Sun Microsystems - Irvine United States#include <assert.h>
a0aa776eSAlan Wright#include <sasl/sasl.h>
a0aa776eSAlan Wright#include <note.h>
77191e87SShawn Emery#include <errno.h>
77191e87SShawn Emery#include <cryptoutil.h>
da6c28aaSamw
da6c28aaSamw#include <smbsrv/libsmbns.h>
da6c28aaSamw#include <smbns_dyndns.h>
da6c28aaSamw#include <smbns_krb.h>
da6c28aaSamw
96a62adaSjoyce mcintosh#define	SMB_ADS_AF_UNKNOWN(x)	(((x)->ipaddr.a_family != AF_INET) && \
96a62adaSjoyce mcintosh	((x)->ipaddr.a_family != AF_INET6))
96a62adaSjoyce mcintosh
29bd2886SAlan Wright#define	SMB_ADS_MAXBUFLEN 100
3db3f65cSamw#define	SMB_ADS_DN_MAX	300
3db3f65cSamw#define	SMB_ADS_MAXMSGLEN 512
3db3f65cSamw#define	SMB_ADS_COMPUTERS_CN "Computers"
3db3f65cSamw#define	SMB_ADS_COMPUTER_NUM_ATTR 8
3db3f65cSamw#define	SMB_ADS_SHARE_NUM_ATTR 3
3db3f65cSamw#define	SMB_ADS_SITE_MAX MAXHOSTNAMELEN
3db3f65cSamw
3db3f65cSamw#define	SMB_ADS_MSDCS_SRV_DC_RR		"_ldap._tcp.dc._msdcs"
3db3f65cSamw#define	SMB_ADS_MSDCS_SRV_SITE_RR	"_ldap._tcp.%s._sites.dc._msdcs"
3db3f65cSamw
3db3f65cSamw/*
3db3f65cSamw * domainControllerFunctionality
3db3f65cSamw *
3db3f65cSamw * This rootDSE attribute indicates the functional level of the DC.
3db3f65cSamw */
3db3f65cSamw#define	SMB_ADS_ATTR_DCLEVEL	"domainControllerFunctionality"
3db3f65cSamw#define	SMB_ADS_DCLEVEL_W2K	0
3db3f65cSamw#define	SMB_ADS_DCLEVEL_W2K3	2
3db3f65cSamw#define	SMB_ADS_DCLEVEL_W2K8	3
b1352070SAlan Wright#define	SMB_ADS_DCLEVEL_W2K8_R2 4
3db3f65cSamw
3db3f65cSamw/*
3db3f65cSamw * msDs-supportedEncryptionTypes (Windows Server 2008 only)
3db3f65cSamw *
3db3f65cSamw * This attribute defines the encryption types supported by the system.
3db3f65cSamw * Encryption Types:
3db3f65cSamw *  - DES cbc mode with CRC-32
3db3f65cSamw *  - DES cbc mode with RSA-MD5
3db3f65cSamw *  - ArcFour with HMAC/md5
3db3f65cSamw *  - AES-128
3db3f65cSamw *  - AES-256
3db3f65cSamw */
3db3f65cSamw#define	SMB_ADS_ATTR_ENCTYPES	"msDs-supportedEncryptionTypes"
3db3f65cSamw#define	SMB_ADS_ENC_DES_CRC	1
3db3f65cSamw#define	SMB_ADS_ENC_DES_MD5	2
3db3f65cSamw#define	SMB_ADS_ENC_RC4		4
3db3f65cSamw#define	SMB_ADS_ENC_AES128	8
3db3f65cSamw#define	SMB_ADS_ENC_AES256	16
3db3f65cSamw
148c5f43SAlan Wrightstatic krb5_enctype w2k8enctypes[] = {
148c5f43SAlan Wright    ENCTYPE_AES256_CTS_HMAC_SHA1_96,
148c5f43SAlan Wright    ENCTYPE_AES128_CTS_HMAC_SHA1_96,
148c5f43SAlan Wright    ENCTYPE_ARCFOUR_HMAC,
148c5f43SAlan Wright    ENCTYPE_DES_CBC_CRC,
148c5f43SAlan Wright    ENCTYPE_DES_CBC_MD5,
148c5f43SAlan Wright};
148c5f43SAlan Wright
148c5f43SAlan Wrightstatic krb5_enctype pre_w2k8enctypes[] = {
148c5f43SAlan Wright    ENCTYPE_ARCFOUR_HMAC,
148c5f43SAlan Wright    ENCTYPE_DES_CBC_CRC,
148c5f43SAlan Wright    ENCTYPE_DES_CBC_MD5,
148c5f43SAlan Wright};
148c5f43SAlan Wright
3db3f65cSamw#define	SMB_ADS_ATTR_SAMACCT	"sAMAccountName"
3db3f65cSamw#define	SMB_ADS_ATTR_UPN	"userPrincipalName"
3db3f65cSamw#define	SMB_ADS_ATTR_SPN	"servicePrincipalName"
3db3f65cSamw#define	SMB_ADS_ATTR_CTL	"userAccountControl"
3db3f65cSamw#define	SMB_ADS_ATTR_DNSHOST	"dNSHostName"
3db3f65cSamw#define	SMB_ADS_ATTR_KVNO	"msDS-KeyVersionNumber"
c8ec8eeaSjose borrego#define	SMB_ADS_ATTR_DN		"distinguishedName"
da6c28aaSamw
b89a8333Snatalie li - Sun Microsystems - Irvine United States/*
29bd2886SAlan Wright * UserAccountControl flags: manipulate user account properties.
29bd2886SAlan Wright *
29bd2886SAlan Wright * The hexadecimal value of the following property flags are based on MSDN
29bd2886SAlan Wright * article # 305144.
29bd2886SAlan Wright */
29bd2886SAlan Wright#define	SMB_ADS_USER_ACCT_CTL_SCRIPT				0x00000001
29bd2886SAlan Wright#define	SMB_ADS_USER_ACCT_CTL_ACCOUNTDISABLE			0x00000002
29bd2886SAlan Wright#define	SMB_ADS_USER_ACCT_CTL_HOMEDIR_REQUIRED			0x00000008
29bd2886SAlan Wright#define	SMB_ADS_USER_ACCT_CTL_LOCKOUT				0x00000010
29bd2886SAlan Wright#define	SMB_ADS_USER_ACCT_CTL_PASSWD_NOTREQD			0x00000020
29bd2886SAlan Wright#define	SMB_ADS_USER_ACCT_CTL_PASSWD_CANT_CHANGE		0x00000040
29bd2886SAlan Wright#define	SMB_ADS_USER_ACCT_CTL_ENCRYPTED_TEXT_PWD_ALLOWED	0x00000080
29bd2886SAlan Wright#define	SMB_ADS_USER_ACCT_CTL_TMP_DUP_ACCT			0x00000100
29bd2886SAlan Wright#define	SMB_ADS_USER_ACCT_CTL_NORMAL_ACCT			0x00000200
29bd2886SAlan Wright#define	SMB_ADS_USER_ACCT_CTL_INTERDOMAIN_TRUST_ACCT		0x00000800
29bd2886SAlan Wright#define	SMB_ADS_USER_ACCT_CTL_WKSTATION_TRUST_ACCT		0x00001000
29bd2886SAlan Wright#define	SMB_ADS_USER_ACCT_CTL_SRV_TRUST_ACCT			0x00002000
29bd2886SAlan Wright#define	SMB_ADS_USER_ACCT_CTL_DONT_EXPIRE_PASSWD		0x00010000
29bd2886SAlan Wright#define	SMB_ADS_USER_ACCT_CTL_MNS_LOGON_ACCT			0x00020000
29bd2886SAlan Wright#define	SMB_ADS_USER_ACCT_CTL_SMARTCARD_REQUIRED		0x00040000
29bd2886SAlan Wright#define	SMB_ADS_USER_ACCT_CTL_TRUSTED_FOR_DELEGATION		0x00080000
29bd2886SAlan Wright#define	SMB_ADS_USER_ACCT_CTL_NOT_DELEGATED			0x00100000
29bd2886SAlan Wright#define	SMB_ADS_USER_ACCT_CTL_USE_DES_KEY_ONLY			0x00200000
29bd2886SAlan Wright#define	SMB_ADS_USER_ACCT_CTL_DONT_REQ_PREAUTH			0x00400000
29bd2886SAlan Wright#define	SMB_ADS_USER_ACCT_CTL_PASSWD_EXPIRED			0x00800000
29bd2886SAlan Wright#define	SMB_ADS_USER_ACCT_CTL_TRUSTED_TO_AUTH_FOR_DELEGATION	0x01000000
29bd2886SAlan Wright
29bd2886SAlan Wright/*
b89a8333Snatalie li - Sun Microsystems - Irvine United States * Length of "dc=" prefix.
b89a8333Snatalie li - Sun Microsystems - Irvine United States */
b89a8333Snatalie li - Sun Microsystems - Irvine United States#define	SMB_ADS_DN_PREFIX_LEN	3
b89a8333Snatalie li - Sun Microsystems - Irvine United States
7f667e74Sjose borregostatic char *smb_ads_computer_objcls[] = {
7f667e74Sjose borrego	"top", "person", "organizationalPerson",
7f667e74Sjose borrego	"user", "computer", NULL
7f667e74Sjose borrego};
7f667e74Sjose borrego
7f667e74Sjose borregostatic char *smb_ads_share_objcls[] = {
7f667e74Sjose borrego	"top", "leaf", "connectionPoint", "volume", NULL
7f667e74Sjose borrego};
7f667e74Sjose borrego
b89a8333Snatalie li - Sun Microsystems - Irvine United States/* Cached ADS server to communicate with */
b89a8333Snatalie li - Sun Microsystems - Irvine United Statesstatic smb_ads_host_info_t *smb_ads_cached_host_info = NULL;
b89a8333Snatalie li - Sun Microsystems - Irvine United Statesstatic mutex_t smb_ads_cached_host_mtx;
b89a8333Snatalie li - Sun Microsystems - Irvine United States
29bd2886SAlan Wright/*
29bd2886SAlan Wright * SMB ADS config cache is maintained to facilitate the detection of
29bd2886SAlan Wright * changes in configuration that is relevant to AD selection.
29bd2886SAlan Wright */
29bd2886SAlan Wrighttypedef struct smb_ads_config {
29bd2886SAlan Wright	char c_site[SMB_ADS_SITE_MAX];
29bd2886SAlan Wright	smb_inaddr_t c_pdc;
29bd2886SAlan Wright	mutex_t c_mtx;
29bd2886SAlan Wright} smb_ads_config_t;
29bd2886SAlan Wright
29bd2886SAlan Wrightstatic smb_ads_config_t smb_ads_cfg;
29bd2886SAlan Wright
dc20a302Sas200622
b89a8333Snatalie li - Sun Microsystems - Irvine United States/* attribute/value pair */
b89a8333Snatalie li - Sun Microsystems - Irvine United Statestypedef struct smb_ads_avpair {
b89a8333Snatalie li - Sun Microsystems - Irvine United States	char *avp_attr;
b89a8333Snatalie li - Sun Microsystems - Irvine United States	char *avp_val;
b89a8333Snatalie li - Sun Microsystems - Irvine United States} smb_ads_avpair_t;
b89a8333Snatalie li - Sun Microsystems - Irvine United States
b89a8333Snatalie li - Sun Microsystems - Irvine United States/* query status */
b89a8333Snatalie li - Sun Microsystems - Irvine United Statestypedef enum smb_ads_qstat {
b89a8333Snatalie li - Sun Microsystems - Irvine United States	SMB_ADS_STAT_ERR = -2,
b89a8333Snatalie li - Sun Microsystems - Irvine United States	SMB_ADS_STAT_DUP,
b89a8333Snatalie li - Sun Microsystems - Irvine United States	SMB_ADS_STAT_NOT_FOUND,
b89a8333Snatalie li - Sun Microsystems - Irvine United States	SMB_ADS_STAT_FOUND
b89a8333Snatalie li - Sun Microsystems - Irvine United States} smb_ads_qstat_t;
b89a8333Snatalie li - Sun Microsystems - Irvine United States
29bd2886SAlan Wrighttypedef struct smb_ads_host_list {
29bd2886SAlan Wright	int ah_cnt;
29bd2886SAlan Wright	smb_ads_host_info_t *ah_list;
29bd2886SAlan Wright} smb_ads_host_list_t;
29bd2886SAlan Wright
c8ec8eeaSjose borregostatic smb_ads_handle_t *smb_ads_open_main(char *, char *, char *);
c8ec8eeaSjose borregostatic int smb_ads_add_computer(smb_ads_handle_t *, int, char *);
c8ec8eeaSjose borregostatic int smb_ads_modify_computer(smb_ads_handle_t *, int, char *);
c8ec8eeaSjose borregostatic int smb_ads_computer_op(smb_ads_handle_t *, int, int, char *);
b89a8333Snatalie li - Sun Microsystems - Irvine United Statesstatic smb_ads_qstat_t smb_ads_lookup_computer_n_attr(smb_ads_handle_t *,
b89a8333Snatalie li - Sun Microsystems - Irvine United States    smb_ads_avpair_t *, int, char *);
c8ec8eeaSjose borregostatic int smb_ads_update_computer_cntrl_attr(smb_ads_handle_t *, int, char *);
c8ec8eeaSjose borregostatic krb5_kvno smb_ads_lookup_computer_attr_kvno(smb_ads_handle_t *, char *);
b89a8333Snatalie li - Sun Microsystems - Irvine United Statesstatic void smb_ads_free_cached_host(void);
c8ec8eeaSjose borregostatic int smb_ads_alloc_attr(LDAPMod **, int);
c8ec8eeaSjose borregostatic void smb_ads_free_attr(LDAPMod **);
c8ec8eeaSjose borregostatic int smb_ads_get_dc_level(smb_ads_handle_t *);
c8ec8eeaSjose borregostatic smb_ads_host_info_t *smb_ads_select_dc(smb_ads_host_list_t *);
b89a8333Snatalie li - Sun Microsystems - Irvine United Statesstatic smb_ads_qstat_t smb_ads_find_computer(smb_ads_handle_t *, char *);
b89a8333Snatalie li - Sun Microsystems - Irvine United Statesstatic smb_ads_qstat_t smb_ads_getattr(LDAP *, LDAPMessage *,
b89a8333Snatalie li - Sun Microsystems - Irvine United States    smb_ads_avpair_t *);
b89a8333Snatalie li - Sun Microsystems - Irvine United Statesstatic smb_ads_qstat_t smb_ads_get_qstat(smb_ads_handle_t *, LDAPMessage *,
b89a8333Snatalie li - Sun Microsystems - Irvine United States    smb_ads_avpair_t *);
29bd2886SAlan Wrightstatic boolean_t smb_ads_match_pdc(smb_ads_host_info_t *);
29bd2886SAlan Wrightstatic boolean_t smb_ads_is_sought_host(smb_ads_host_info_t *, char *);
29bd2886SAlan Wrightstatic boolean_t smb_ads_is_same_domain(char *, char *);
29bd2886SAlan Wrightstatic boolean_t smb_ads_is_pdc_configured(void);
29bd2886SAlan Wrightstatic smb_ads_host_info_t *smb_ads_dup_host_info(smb_ads_host_info_t *);
fe1c642dSBill Krierstatic char *smb_ads_get_sharedn(const char *, const char *, const char *);
148c5f43SAlan Wrightstatic krb5_enctype *smb_ads_get_enctypes(int, int *);
dc20a302Sas200622
dc20a302Sas200622/*
3db3f65cSamw * smb_ads_init
dc20a302Sas200622 *
29bd2886SAlan Wright * Initializes the ADS config cache.
dc20a302Sas200622 */
dc20a302Sas200622void
3db3f65cSamwsmb_ads_init(void)
dc20a302Sas200622{
29bd2886SAlan Wright	(void) mutex_lock(&smb_ads_cfg.c_mtx);
b89a8333Snatalie li - Sun Microsystems - Irvine United States	(void) smb_config_getstr(SMB_CI_ADS_SITE,
29bd2886SAlan Wright	    smb_ads_cfg.c_site, SMB_ADS_SITE_MAX);
29bd2886SAlan Wright	(void) smb_config_getip(SMB_CI_DOMAIN_SRV, &smb_ads_cfg.c_pdc);
29bd2886SAlan Wright	(void) mutex_unlock(&smb_ads_cfg.c_mtx);
29bd2886SAlan Wright}
29bd2886SAlan Wright
29bd2886SAlan Wrightvoid
29bd2886SAlan Wrightsmb_ads_fini(void)
29bd2886SAlan Wright{
29bd2886SAlan Wright	smb_ads_free_cached_host();
dc20a302Sas200622}
dc20a302Sas200622
dc20a302Sas200622/*
3db3f65cSamw * smb_ads_refresh
dc20a302Sas200622 *
29bd2886SAlan Wright * This function will be called when smb/server SMF service is refreshed.
29bd2886SAlan Wright * Clearing the smb_ads_cached_host_info would allow the next DC
29bd2886SAlan Wright * discovery process to pick up an AD based on the new AD configuration.
dc20a302Sas200622 */
dc20a302Sas200622void
3db3f65cSamwsmb_ads_refresh(void)
dc20a302Sas200622{
3db3f65cSamw	char new_site[SMB_ADS_SITE_MAX];
29bd2886SAlan Wright	smb_inaddr_t new_pdc;
29bd2886SAlan Wright	boolean_t purge = B_FALSE;
dc20a302Sas200622
29bd2886SAlan Wright	(void) smb_config_getstr(SMB_CI_ADS_SITE, new_site, SMB_ADS_SITE_MAX);
29bd2886SAlan Wright	(void) smb_config_getip(SMB_CI_DOMAIN_SRV, &new_pdc);
29bd2886SAlan Wright	(void) mutex_lock(&smb_ads_cfg.c_mtx);
bbf6f00cSJordan Brown	if (smb_strcasecmp(smb_ads_cfg.c_site, new_site, 0)) {
29bd2886SAlan Wright		(void) strlcpy(smb_ads_cfg.c_site, new_site, SMB_ADS_SITE_MAX);
29bd2886SAlan Wright		purge = B_TRUE;
29bd2886SAlan Wright	}
29bd2886SAlan Wright
29bd2886SAlan Wright	smb_ads_cfg.c_pdc = new_pdc;
29bd2886SAlan Wright	(void) mutex_unlock(&smb_ads_cfg.c_mtx);
29bd2886SAlan Wright
29bd2886SAlan Wright	(void) mutex_lock(&smb_ads_cached_host_mtx);
29bd2886SAlan Wright	if (smb_ads_cached_host_info &&
29bd2886SAlan Wright	    smb_ads_is_pdc_configured() &&
29bd2886SAlan Wright	    !smb_ads_match_pdc(smb_ads_cached_host_info))
29bd2886SAlan Wright		purge = B_TRUE;
29bd2886SAlan Wright	(void) mutex_unlock(&smb_ads_cached_host_mtx);
29bd2886SAlan Wright
29bd2886SAlan Wright	if (purge)
b89a8333Snatalie li - Sun Microsystems - Irvine United States		smb_ads_free_cached_host();
dc20a302Sas200622}
29bd2886SAlan Wright
29bd2886SAlan Wright
29bd2886SAlan Wright
29bd2886SAlan Wrightstatic boolean_t
29bd2886SAlan Wrightsmb_ads_is_pdc_configured(void)
29bd2886SAlan Wright{
29bd2886SAlan Wright	boolean_t configured;
29bd2886SAlan Wright
29bd2886SAlan Wright	(void) mutex_lock(&smb_ads_cfg.c_mtx);
29bd2886SAlan Wright	configured = !smb_inet_iszero(&smb_ads_cfg.c_pdc);
29bd2886SAlan Wright	(void) mutex_unlock(&smb_ads_cfg.c_mtx);
29bd2886SAlan Wright
29bd2886SAlan Wright	return (configured);
dc20a302Sas200622}
da6c28aaSamw
da6c28aaSamw/*
3db3f65cSamw * smb_ads_build_unc_name
da6c28aaSamw *
da6c28aaSamw * Construct the UNC name of the share object in the format of
da6c28aaSamw * \\hostname.domain\shareUNC
da6c28aaSamw *
da6c28aaSamw * Returns 0 on success, -1 on error.
da6c28aaSamw */
da6c28aaSamwint
3db3f65cSamwsmb_ads_build_unc_name(char *unc_name, int maxlen,
da6c28aaSamw    const char *hostname, const char *shareUNC)
da6c28aaSamw{
dc20a302Sas200622	char my_domain[MAXHOSTNAMELEN];
da6c28aaSamw
dc20a302Sas200622	if (smb_getfqdomainname(my_domain, sizeof (my_domain)) != 0)
da6c28aaSamw		return (-1);
da6c28aaSamw
da6c28aaSamw	(void) snprintf(unc_name, maxlen, "\\\\%s.%s\\%s",
da6c28aaSamw	    hostname, my_domain, shareUNC);
da6c28aaSamw	return (0);
da6c28aaSamw}
da6c28aaSamw
da6c28aaSamw/*
c8ec8eeaSjose borrego * smb_ads_ldap_ping
3db3f65cSamw *
c8ec8eeaSjose borrego * This is used to bind to an ADS server to see
c8ec8eeaSjose borrego * if it is still alive.
c8ec8eeaSjose borrego *
da6c28aaSamw * Returns:
da6c28aaSamw *   -1: error
da6c28aaSamw *    0: successful
da6c28aaSamw */
da6c28aaSamw/*ARGSUSED*/
da6c28aaSamwstatic int
c8ec8eeaSjose borregosmb_ads_ldap_ping(smb_ads_host_info_t *ads_host)
da6c28aaSamw{
c8ec8eeaSjose borrego	int ldversion = LDAP_VERSION3, status, timeoutms = 5 * 1000;
c8ec8eeaSjose borrego	LDAP *ld = NULL;
c8ec8eeaSjose borrego
7f667e74Sjose borrego	ld = ldap_init(ads_host->name, ads_host->port);
c8ec8eeaSjose borrego	if (ld == NULL)
c8ec8eeaSjose borrego		return (-1);
c8ec8eeaSjose borrego
c8ec8eeaSjose borrego	ldversion = LDAP_VERSION3;
c8ec8eeaSjose borrego	(void) ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, &ldversion);
c8ec8eeaSjose borrego	/* setup TCP/IP connect timeout */
c8ec8eeaSjose borrego	(void) ldap_set_option(ld, LDAP_X_OPT_CONNECT_TIMEOUT, &timeoutms);
c8ec8eeaSjose borrego
c8ec8eeaSjose borrego	status = ldap_bind_s(ld, "", NULL, LDAP_AUTH_SIMPLE);
c8ec8eeaSjose borrego
c8ec8eeaSjose borrego	if (status != LDAP_SUCCESS) {
c8ec8eeaSjose borrego		(void) ldap_unbind(ld);
c8ec8eeaSjose borrego		return (-1);
c8ec8eeaSjose borrego	}
c8ec8eeaSjose borrego
c8ec8eeaSjose borrego	(void) ldap_unbind(ld);
c8ec8eeaSjose borrego
da6c28aaSamw	return (0);
da6c28aaSamw}
da6c28aaSamw
da6c28aaSamw/*
29bd2886SAlan Wright * The cached ADS host is no longer valid if one of the following criteria
29bd2886SAlan Wright * is satisfied:
b89a8333Snatalie li - Sun Microsystems - Irvine United States *
29bd2886SAlan Wright * 1) not in the specified domain
29bd2886SAlan Wright * 2) not the sought host (if specified)
29bd2886SAlan Wright * 3) not reachable
29bd2886SAlan Wright *
29bd2886SAlan Wright * The caller is responsible for acquiring the smb_ads_cached_host_mtx lock
29bd2886SAlan Wright * prior to calling this function.
29bd2886SAlan Wright *
29bd2886SAlan Wright * Return B_TRUE if the cache host is still valid. Otherwise, return B_FALSE.
da6c28aaSamw */
29bd2886SAlan Wrightstatic boolean_t
29bd2886SAlan Wrightsmb_ads_validate_cache_host(char *domain, char *srv)
da6c28aaSamw{
b89a8333Snatalie li - Sun Microsystems - Irvine United States	if (!smb_ads_cached_host_info)
29bd2886SAlan Wright		return (B_FALSE);
29bd2886SAlan Wright
29bd2886SAlan Wright	if (!smb_ads_is_same_domain(smb_ads_cached_host_info->name, domain))
29bd2886SAlan Wright		return (B_FALSE);
29bd2886SAlan Wright
29bd2886SAlan Wright	if (smb_ads_ldap_ping(smb_ads_cached_host_info) == 0) {
29bd2886SAlan Wright		if (!srv)
29bd2886SAlan Wright			return (B_TRUE);
29bd2886SAlan Wright
29bd2886SAlan Wright		if (smb_ads_is_sought_host(smb_ads_cached_host_info, srv))
29bd2886SAlan Wright			return (B_TRUE);
da6c28aaSamw	}
da6c28aaSamw
29bd2886SAlan Wright	return (B_FALSE);
da6c28aaSamw}
3db3f65cSamw
da6c28aaSamw/*
b89a8333Snatalie li - Sun Microsystems - Irvine United States * smb_ads_is_sought_host
b89a8333Snatalie li - Sun Microsystems - Irvine United States *
b89a8333Snatalie li - Sun Microsystems - Irvine United States * Returns true, if the sought host name matches the input host (host) name.
b89a8333Snatalie li - Sun Microsystems - Irvine United States * The sought host is expected to be in Fully Qualified Domain Name (FQDN)
b89a8333Snatalie li - Sun Microsystems - Irvine United States * format.
b89a8333Snatalie li - Sun Microsystems - Irvine United States */
b89a8333Snatalie li - Sun Microsystems - Irvine United Statesstatic boolean_t
b89a8333Snatalie li - Sun Microsystems - Irvine United Statessmb_ads_is_sought_host(smb_ads_host_info_t *host, char *sought_host_name)
b89a8333Snatalie li - Sun Microsystems - Irvine United States{
b89a8333Snatalie li - Sun Microsystems - Irvine United States	if ((host == NULL) || (sought_host_name == NULL))
b89a8333Snatalie li - Sun Microsystems - Irvine United States		return (B_FALSE);
b89a8333Snatalie li - Sun Microsystems - Irvine United States
bbf6f00cSJordan Brown	if (smb_strcasecmp(host->name, sought_host_name, 0))
b89a8333Snatalie li - Sun Microsystems - Irvine United States		return (B_FALSE);
b89a8333Snatalie li - Sun Microsystems - Irvine United States
b89a8333Snatalie li - Sun Microsystems - Irvine United States	return (B_TRUE);
b89a8333Snatalie li - Sun Microsystems - Irvine United States}
b89a8333Snatalie li - Sun Microsystems - Irvine United States
b89a8333Snatalie li - Sun Microsystems - Irvine United States/*
b89a8333Snatalie li - Sun Microsystems - Irvine United States * smb_ads_match_hosts_same_domain
b89a8333Snatalie li - Sun Microsystems - Irvine United States *
b89a8333Snatalie li - Sun Microsystems - Irvine United States * Returns true, if the cached ADS host is in the same domain as the
b89a8333Snatalie li - Sun Microsystems - Irvine United States * current (given) domain.
b89a8333Snatalie li - Sun Microsystems - Irvine United States */
b89a8333Snatalie li - Sun Microsystems - Irvine United Statesstatic boolean_t
b89a8333Snatalie li - Sun Microsystems - Irvine United Statessmb_ads_is_same_domain(char *cached_host_name, char *current_domain)
b89a8333Snatalie li - Sun Microsystems - Irvine United States{
b89a8333Snatalie li - Sun Microsystems - Irvine United States	char *cached_host_domain;
b89a8333Snatalie li - Sun Microsystems - Irvine United States
b89a8333Snatalie li - Sun Microsystems - Irvine United States	if ((cached_host_name == NULL) || (current_domain == NULL))
b89a8333Snatalie li - Sun Microsystems - Irvine United States		return (B_FALSE);
b89a8333Snatalie li - Sun Microsystems - Irvine United States
b89a8333Snatalie li - Sun Microsystems - Irvine United States	cached_host_domain = strchr(cached_host_name, '.');
b89a8333Snatalie li - Sun Microsystems - Irvine United States	if (cached_host_domain == NULL)
b89a8333Snatalie li - Sun Microsystems - Irvine United States		return (B_FALSE);
b89a8333Snatalie li - Sun Microsystems - Irvine United States
b89a8333Snatalie li - Sun Microsystems - Irvine United States	++cached_host_domain;
bbf6f00cSJordan Brown	if (smb_strcasecmp(cached_host_domain, current_domain, 0))
b89a8333Snatalie li - Sun Microsystems - Irvine United States		return (B_FALSE);
b89a8333Snatalie li - Sun Microsystems - Irvine United States
b89a8333Snatalie li - Sun Microsystems - Irvine United States	return (B_TRUE);
b89a8333Snatalie li - Sun Microsystems - Irvine United States}
b89a8333Snatalie li - Sun Microsystems - Irvine United States
b89a8333Snatalie li - Sun Microsystems - Irvine United States/*
3db3f65cSamw * smb_ads_skip_ques_sec
3db3f65cSamw * Skips the question section.
3db3f65cSamw */
3db3f65cSamwstatic int
3db3f65cSamwsmb_ads_skip_ques_sec(int qcnt, uchar_t **ptr, uchar_t *eom)
3db3f65cSamw{
3db3f65cSamw	int i, len;
3db3f65cSamw
3db3f65cSamw	for (i = 0; i < qcnt; i++) {
b89a8333Snatalie li - Sun Microsystems - Irvine United States		if ((len = dn_skipname(*ptr, eom)) < 0)
3db3f65cSamw			return (-1);
b89a8333Snatalie li - Sun Microsystems - Irvine United States
3db3f65cSamw		*ptr += len + QFIXEDSZ;
3db3f65cSamw	}
3db3f65cSamw
3db3f65cSamw	return (0);
3db3f65cSamw}
3db3f65cSamw
3db3f65cSamw/*
3db3f65cSamw * smb_ads_decode_host_ans_sec
c8ec8eeaSjose borrego * Decodes ADS hosts, priority, weight and port number from the answer
c8ec8eeaSjose borrego * section based on the current buffer pointer.
3db3f65cSamw */
3db3f65cSamwstatic int
3db3f65cSamwsmb_ads_decode_host_ans_sec(int ans_cnt, uchar_t **ptr, uchar_t *eom,
3db3f65cSamw    uchar_t *buf, smb_ads_host_info_t *ads_host_list)
3db3f65cSamw{
3db3f65cSamw	int i, len;
3db3f65cSamw	smb_ads_host_info_t *ads_host;
3db3f65cSamw
3db3f65cSamw	for (i = 0; i < ans_cnt; i++) {
3db3f65cSamw		ads_host = &ads_host_list[i];
3db3f65cSamw
b89a8333Snatalie li - Sun Microsystems - Irvine United States		if ((len = dn_skipname(*ptr, eom)) < 0)
3db3f65cSamw			return (-1);
b89a8333Snatalie li - Sun Microsystems - Irvine United States
3db3f65cSamw
3db3f65cSamw		*ptr += len;
3db3f65cSamw
3db3f65cSamw		/* skip type, class, ttl */
3db3f65cSamw		*ptr += 8;
3db3f65cSamw		/* data size */
3db3f65cSamw		*ptr += 2;
3db3f65cSamw
c8ec8eeaSjose borrego		/* Get priority, weight */
c8ec8eeaSjose borrego		/* LINTED: E_CONSTANT_CONDITION */
c8ec8eeaSjose borrego		NS_GET16(ads_host->priority, *ptr);
c8ec8eeaSjose borrego		/* LINTED: E_CONSTANT_CONDITION */
c8ec8eeaSjose borrego		NS_GET16(ads_host->weight, *ptr);
c8ec8eeaSjose borrego
3db3f65cSamw		/* port */
3db3f65cSamw		/* LINTED: E_CONSTANT_CONDITION */
3db3f65cSamw		NS_GET16(ads_host->port, *ptr);
3db3f65cSamw		/* domain name */
3db3f65cSamw		len = dn_expand(buf, eom, *ptr, ads_host->name, MAXHOSTNAMELEN);
b89a8333Snatalie li - Sun Microsystems - Irvine United States		if (len < 0)
3db3f65cSamw			return (-1);
b89a8333Snatalie li - Sun Microsystems - Irvine United States
3db3f65cSamw		*ptr += len;
3db3f65cSamw	}
3db3f65cSamw
3db3f65cSamw	return (0);
3db3f65cSamw}
3db3f65cSamw
3db3f65cSamw/*
3db3f65cSamw * smb_ads_skip_auth_sec
3db3f65cSamw * Skips the authority section.
3db3f65cSamw */
3db3f65cSamwstatic int
3db3f65cSamwsmb_ads_skip_auth_sec(int ns_cnt, uchar_t **ptr, uchar_t *eom)
3db3f65cSamw{
3db3f65cSamw	int i, len;
3db3f65cSamw	uint16_t size;
3db3f65cSamw
3db3f65cSamw	for (i = 0; i < ns_cnt; i++) {
b89a8333Snatalie li - Sun Microsystems - Irvine United States		if ((len = dn_skipname(*ptr, eom)) < 0)
3db3f65cSamw			return (-1);
b89a8333Snatalie li - Sun Microsystems - Irvine United States
3db3f65cSamw		*ptr += len;
3db3f65cSamw		/* skip type, class, ttl */
3db3f65cSamw		*ptr += 8;
3db3f65cSamw		/* get len of data */
3db3f65cSamw		/* LINTED: E_CONSTANT_CONDITION */
3db3f65cSamw		NS_GET16(size, *ptr);
b89a8333Snatalie li - Sun Microsystems - Irvine United States		if ((*ptr + size) > eom)
3db3f65cSamw			return (-1);
3db3f65cSamw
3db3f65cSamw		*ptr += size;
3db3f65cSamw	}
3db3f65cSamw
3db3f65cSamw	return (0);
3db3f65cSamw}
3db3f65cSamw
3db3f65cSamw/*
b89a8333Snatalie li - Sun Microsystems - Irvine United States * smb_ads_decode_host_ip
b89a8333Snatalie li - Sun Microsystems - Irvine United States *
3db3f65cSamw * Decodes ADS hosts and IP Addresses from the additional section based
3db3f65cSamw * on the current buffer pointer.
3db3f65cSamw */
3db3f65cSamwstatic int
b89a8333Snatalie li - Sun Microsystems - Irvine United Statessmb_ads_decode_host_ip(int addit_cnt, int ans_cnt, uchar_t **ptr,
b89a8333Snatalie li - Sun Microsystems - Irvine United States    uchar_t *eom, uchar_t *buf, smb_ads_host_info_t *ads_host_list)
3db3f65cSamw{
b89a8333Snatalie li - Sun Microsystems - Irvine United States	int i, j, len;
7f667e74Sjose borrego	smb_inaddr_t ipaddr;
b89a8333Snatalie li - Sun Microsystems - Irvine United States	char hostname[MAXHOSTNAMELEN];
b89a8333Snatalie li - Sun Microsystems - Irvine United States	char *name;
7f667e74Sjose borrego	uint16_t size = 0;
3db3f65cSamw
3db3f65cSamw	for (i = 0; i < addit_cnt; i++) {
3db3f65cSamw
3db3f65cSamw		/* domain name */
b89a8333Snatalie li - Sun Microsystems - Irvine United States		len = dn_expand(buf, eom, *ptr, hostname, MAXHOSTNAMELEN);
b89a8333Snatalie li - Sun Microsystems - Irvine United States		if (len < 0)
3db3f65cSamw			return (-1);
b89a8333Snatalie li - Sun Microsystems - Irvine United States
3db3f65cSamw		*ptr += len;
3db3f65cSamw
3db3f65cSamw		/* skip type, class, TTL, data len */
7f667e74Sjose borrego		*ptr += 8;
3db3f65cSamw		/* LINTED: E_CONSTANT_CONDITION */
7f667e74Sjose borrego		NS_GET16(size, *ptr);
7f667e74Sjose borrego
*b819cea2SGordon Ross		if (size == NS_INADDRSZ) {
7f667e74Sjose borrego			/* LINTED: E_CONSTANT_CONDITION */
7f667e74Sjose borrego			NS_GET32(ipaddr.a_ipv4, *ptr);
7f667e74Sjose borrego			ipaddr.a_ipv4 = htonl(ipaddr.a_ipv4);
7f667e74Sjose borrego			ipaddr.a_family = AF_INET;
*b819cea2SGordon Ross		} else if (size == NS_IN6ADDRSZ) {
7f667e74Sjose borrego#ifdef BIG_ENDIAN
*b819cea2SGordon Ross			bcopy(*ptr, &ipaddr.a_ipv6, NS_IN6ADDRSZ);
7f667e74Sjose borrego#else
*b819cea2SGordon Ross			for (i = 0; i < NS_IN6ADDRSZ; i++)
7f667e74Sjose borrego				(uint8_t *)(ipaddr.a_ipv6)
*b819cea2SGordon Ross				    [NS_IN6ADDRSZ-1-i] = *(*ptr+i);
7f667e74Sjose borrego#endif
7f667e74Sjose borrego			ipaddr.a_family = AF_INET6;
c5866007SKeyur Desai			*ptr += size;
7f667e74Sjose borrego		}
3db3f65cSamw
b89a8333Snatalie li - Sun Microsystems - Irvine United States		/*
b89a8333Snatalie li - Sun Microsystems - Irvine United States		 * find the host in the list of DC records from
b89a8333Snatalie li - Sun Microsystems - Irvine United States		 * the answer section, that matches the host in the
b89a8333Snatalie li - Sun Microsystems - Irvine United States		 * additional section, and set its IP address.
b89a8333Snatalie li - Sun Microsystems - Irvine United States		 */
b89a8333Snatalie li - Sun Microsystems - Irvine United States		for (j = 0; j < ans_cnt; j++) {
b89a8333Snatalie li - Sun Microsystems - Irvine United States			if ((name = ads_host_list[j].name) == NULL)
b89a8333Snatalie li - Sun Microsystems - Irvine United States				continue;
bbf6f00cSJordan Brown			if (smb_strcasecmp(name, hostname, 0) == 0) {
7f667e74Sjose borrego				ads_host_list[j].ipaddr = ipaddr;
b89a8333Snatalie li - Sun Microsystems - Irvine United States			}
3db3f65cSamw		}
7f667e74Sjose borrego	}
3db3f65cSamw	return (0);
3db3f65cSamw}
3db3f65cSamw
b89a8333Snatalie li - Sun Microsystems - Irvine United States/*
b89a8333Snatalie li - Sun Microsystems - Irvine United States * smb_ads_dup_host_info
b89a8333Snatalie li - Sun Microsystems - Irvine United States *
b89a8333Snatalie li - Sun Microsystems - Irvine United States * Duplicates the passed smb_ads_host_info_t structure.
b89a8333Snatalie li - Sun Microsystems - Irvine United States * Caller must free memory allocated by this method.
b89a8333Snatalie li - Sun Microsystems - Irvine United States *
b89a8333Snatalie li - Sun Microsystems - Irvine United States * Returns a reference to the duplicated smb_ads_host_info_t structure.
b89a8333Snatalie li - Sun Microsystems - Irvine United States * Returns NULL on error.
b89a8333Snatalie li - Sun Microsystems - Irvine United States */
b89a8333Snatalie li - Sun Microsystems - Irvine United Statesstatic smb_ads_host_info_t *
b89a8333Snatalie li - Sun Microsystems - Irvine United Statessmb_ads_dup_host_info(smb_ads_host_info_t *ads_host)
3db3f65cSamw{
b89a8333Snatalie li - Sun Microsystems - Irvine United States	smb_ads_host_info_t *dup_host;
b89a8333Snatalie li - Sun Microsystems - Irvine United States
b89a8333Snatalie li - Sun Microsystems - Irvine United States	if (ads_host == NULL)
b89a8333Snatalie li - Sun Microsystems - Irvine United States		return (NULL);
b89a8333Snatalie li - Sun Microsystems - Irvine United States
b89a8333Snatalie li - Sun Microsystems - Irvine United States	dup_host = malloc(sizeof (smb_ads_host_info_t));
b89a8333Snatalie li - Sun Microsystems - Irvine United States
b89a8333Snatalie li - Sun Microsystems - Irvine United States	if (dup_host != NULL)
b89a8333Snatalie li - Sun Microsystems - Irvine United States		bcopy(ads_host, dup_host, sizeof (smb_ads_host_info_t));
b89a8333Snatalie li - Sun Microsystems - Irvine United States
b89a8333Snatalie li - Sun Microsystems - Irvine United States	return (dup_host);
c8ec8eeaSjose borrego}
3db3f65cSamw
c8ec8eeaSjose borrego/*
c8ec8eeaSjose borrego * smb_ads_hlist_alloc
c8ec8eeaSjose borrego */
a0aa776eSAlan Wrightstatic smb_ads_host_list_t *
c8ec8eeaSjose borregosmb_ads_hlist_alloc(int count)
c8ec8eeaSjose borrego{
c8ec8eeaSjose borrego	int size;
c8ec8eeaSjose borrego	smb_ads_host_list_t *hlist;
c8ec8eeaSjose borrego
b89a8333Snatalie li - Sun Microsystems - Irvine United States	if (count == 0)
b89a8333Snatalie li - Sun Microsystems - Irvine United States		return (NULL);
b89a8333Snatalie li - Sun Microsystems - Irvine United States
c8ec8eeaSjose borrego	size = sizeof (smb_ads_host_info_t) * count;
c8ec8eeaSjose borrego	hlist = (smb_ads_host_list_t *)malloc(sizeof (smb_ads_host_list_t));
c8ec8eeaSjose borrego	if (hlist == NULL)
c8ec8eeaSjose borrego		return (NULL);
c8ec8eeaSjose borrego
c8ec8eeaSjose borrego	hlist->ah_cnt = count;
c8ec8eeaSjose borrego	hlist->ah_list = (smb_ads_host_info_t *)malloc(size);
c8ec8eeaSjose borrego	if (hlist->ah_list == NULL) {
c8ec8eeaSjose borrego		free(hlist);
c8ec8eeaSjose borrego		return (NULL);
c8ec8eeaSjose borrego	}
c8ec8eeaSjose borrego
c8ec8eeaSjose borrego	bzero(hlist->ah_list, size);
c8ec8eeaSjose borrego	return (hlist);
c8ec8eeaSjose borrego}
c8ec8eeaSjose borrego
c8ec8eeaSjose borrego/*
c8ec8eeaSjose borrego * smb_ads_hlist_free
c8ec8eeaSjose borrego */
c8ec8eeaSjose borregostatic void
c8ec8eeaSjose borregosmb_ads_hlist_free(smb_ads_host_list_t *host_list)
c8ec8eeaSjose borrego{
c8ec8eeaSjose borrego	if (host_list == NULL)
c8ec8eeaSjose borrego		return;
c8ec8eeaSjose borrego
c8ec8eeaSjose borrego	free(host_list->ah_list);
c8ec8eeaSjose borrego	free(host_list);
3db3f65cSamw}
3db3f65cSamw
3db3f65cSamw/*
b89a8333Snatalie li - Sun Microsystems - Irvine United States * smb_ads_query_dns_server
c8ec8eeaSjose borrego *
3db3f65cSamw * This routine sends a DNS service location (SRV) query message to the
3db3f65cSamw * DNS server via TCP to query it for a list of ADS server(s). Once a reply
b89a8333Snatalie li - Sun Microsystems - Irvine United States * is received, the reply message is parsed to get the hostname. If there are IP
3db3f65cSamw * addresses populated in the additional section then the additional section
3db3f65cSamw * is parsed to obtain the IP addresses.
da6c28aaSamw *
da6c28aaSamw * The service location of _ldap._tcp.dc.msdcs.<ADS domain> is used to
da6c28aaSamw * guarantee that Microsoft domain controllers are returned.  Microsoft domain
da6c28aaSamw * controllers are also ADS servers.
da6c28aaSamw *
da6c28aaSamw * The ADS hostnames are stored in the answer section of the DNS reply message.
3db3f65cSamw * The IP addresses are stored in the additional section.
da6c28aaSamw *
da6c28aaSamw * The DNS reply message may be in compress formed.  The compression is done
da6c28aaSamw * on repeating domain name label in the message.  i.e hostname.
c8ec8eeaSjose borrego *
b89a8333Snatalie li - Sun Microsystems - Irvine United States * Upon successful completion, host list of ADS server(s) is returned.
da6c28aaSamw */
b89a8333Snatalie li - Sun Microsystems - Irvine United Statesstatic smb_ads_host_list_t *
b89a8333Snatalie li - Sun Microsystems - Irvine United Statessmb_ads_query_dns_server(char *domain, char *msdcs_svc_name)
da6c28aaSamw{
b89a8333Snatalie li - Sun Microsystems - Irvine United States	smb_ads_host_list_t *hlist = NULL;
3db3f65cSamw	int len, qcnt, ans_cnt, ns_cnt, addit_cnt;
3db3f65cSamw	uchar_t *ptr, *eom;
3db3f65cSamw	struct __res_state res_state;
3db3f65cSamw	union {
3db3f65cSamw		HEADER hdr;
3db3f65cSamw		uchar_t buf[NS_MAXMSG];
3db3f65cSamw	} msg;
faa1795aSjb150015
3db3f65cSamw	bzero(&res_state, sizeof (struct __res_state));
3db3f65cSamw	if (res_ninit(&res_state) < 0)
da6c28aaSamw		return (NULL);
da6c28aaSamw
3db3f65cSamw	/* use TCP */
3db3f65cSamw	res_state.options |= RES_USEVC;
da6c28aaSamw
b89a8333Snatalie li - Sun Microsystems - Irvine United States	len = res_nquerydomain(&res_state, msdcs_svc_name, domain,
3db3f65cSamw	    C_IN, T_SRV, msg.buf, sizeof (msg.buf));
3db3f65cSamw
3db3f65cSamw	if (len < 0) {
fc724630SAlan Wright		syslog(LOG_NOTICE, "DNS query for %s failed: %s",
b89a8333Snatalie li - Sun Microsystems - Irvine United States		    msdcs_svc_name, hstrerror(res_state.res_h_errno));
b89a8333Snatalie li - Sun Microsystems - Irvine United States		res_ndestroy(&res_state);
b89a8333Snatalie li - Sun Microsystems - Irvine United States		return (NULL);
3db3f65cSamw	}
b89a8333Snatalie li - Sun Microsystems - Irvine United States
3db3f65cSamw	if (len > sizeof (msg.buf)) {
fc724630SAlan Wright		syslog(LOG_NOTICE,
fc724630SAlan Wright		    "DNS query for %s failed: too big", msdcs_svc_name);
b89a8333Snatalie li - Sun Microsystems - Irvine United States		res_ndestroy(&res_state);
b89a8333Snatalie li - Sun Microsystems - Irvine United States		return (NULL);
3db3f65cSamw	}
3db3f65cSamw
b89a8333Snatalie li - Sun Microsystems - Irvine United States	/* parse the reply, skip header and question sections */
3db3f65cSamw	ptr = msg.buf + sizeof (msg.hdr);
3db3f65cSamw	eom = msg.buf + len;
3db3f65cSamw
3db3f65cSamw	/* check truncated message bit */
3db3f65cSamw	if (msg.hdr.tc)
fc724630SAlan Wright		syslog(LOG_NOTICE,
fc724630SAlan Wright		    "DNS query for %s failed: truncated", msdcs_svc_name);
3db3f65cSamw
3db3f65cSamw	qcnt = ntohs(msg.hdr.qdcount);
3db3f65cSamw	ans_cnt = ntohs(msg.hdr.ancount);
3db3f65cSamw	ns_cnt = ntohs(msg.hdr.nscount);
3db3f65cSamw	addit_cnt = ntohs(msg.hdr.arcount);
3db3f65cSamw
3db3f65cSamw	if (smb_ads_skip_ques_sec(qcnt, &ptr, eom) != 0) {
3db3f65cSamw		res_ndestroy(&res_state);
da6c28aaSamw		return (NULL);
da6c28aaSamw	}
da6c28aaSamw
b89a8333Snatalie li - Sun Microsystems - Irvine United States	hlist = smb_ads_hlist_alloc(ans_cnt);
b89a8333Snatalie li - Sun Microsystems - Irvine United States	if (hlist == NULL) {
3db3f65cSamw		res_ndestroy(&res_state);
da6c28aaSamw		return (NULL);
da6c28aaSamw	}
da6c28aaSamw
b89a8333Snatalie li - Sun Microsystems - Irvine United States	/* walk through the answer section */
3db3f65cSamw	if (smb_ads_decode_host_ans_sec(ans_cnt, &ptr, eom, msg.buf,
b89a8333Snatalie li - Sun Microsystems - Irvine United States	    hlist->ah_list) != 0) {
b89a8333Snatalie li - Sun Microsystems - Irvine United States		smb_ads_hlist_free(hlist);
3db3f65cSamw		res_ndestroy(&res_state);
da6c28aaSamw		return (NULL);
da6c28aaSamw	}
da6c28aaSamw
da6c28aaSamw	/* check authority section */
c8ec8eeaSjose borrego	if (ns_cnt > 0) {
3db3f65cSamw		if (smb_ads_skip_auth_sec(ns_cnt, &ptr, eom) != 0) {
b89a8333Snatalie li - Sun Microsystems - Irvine United States			smb_ads_hlist_free(hlist);
3db3f65cSamw			res_ndestroy(&res_state);
3db3f65cSamw			return (NULL);
da6c28aaSamw		}
c8ec8eeaSjose borrego	}
da6c28aaSamw
0dcb3379Sjb150015	/*
0dcb3379Sjb150015	 * Check additional section to get IP address of ADS host.
0dcb3379Sjb150015	 */
dc20a302Sas200622	if (addit_cnt > 0) {
b89a8333Snatalie li - Sun Microsystems - Irvine United States		if (smb_ads_decode_host_ip(addit_cnt, ans_cnt,
b89a8333Snatalie li - Sun Microsystems - Irvine United States		    &ptr, eom, msg.buf, hlist->ah_list) != 0) {
b89a8333Snatalie li - Sun Microsystems - Irvine United States			smb_ads_hlist_free(hlist);
3db3f65cSamw			res_ndestroy(&res_state);
da6c28aaSamw			return (NULL);
da6c28aaSamw		}
b89a8333Snatalie li - Sun Microsystems - Irvine United States	}
da6c28aaSamw
3db3f65cSamw	res_ndestroy(&res_state);
b89a8333Snatalie li - Sun Microsystems - Irvine United States	return (hlist);
da6c28aaSamw}
da6c28aaSamw
da6c28aaSamw/*
fc724630SAlan Wright * smb_ads_get_site_service
b89a8333Snatalie li - Sun Microsystems - Irvine United States *
fc724630SAlan Wright * Gets the msdcs SRV RR for the specified site.
da6c28aaSamw */
dc20a302Sas200622static void
fc724630SAlan Wrightsmb_ads_get_site_service(char *site_service, size_t len)
da6c28aaSamw{
29bd2886SAlan Wright	(void) mutex_lock(&smb_ads_cfg.c_mtx);
29bd2886SAlan Wright	if (*smb_ads_cfg.c_site == '\0')
b89a8333Snatalie li - Sun Microsystems - Irvine United States		*site_service = '\0';
b89a8333Snatalie li - Sun Microsystems - Irvine United States	else
fc724630SAlan Wright		(void) snprintf(site_service, len,
29bd2886SAlan Wright		    SMB_ADS_MSDCS_SRV_SITE_RR, smb_ads_cfg.c_site);
fc724630SAlan Wright
29bd2886SAlan Wright	(void) mutex_unlock(&smb_ads_cfg.c_mtx);
da6c28aaSamw}
b89a8333Snatalie li - Sun Microsystems - Irvine United States
b89a8333Snatalie li - Sun Microsystems - Irvine United States/*
b89a8333Snatalie li - Sun Microsystems - Irvine United States * smb_ads_getipnodebyname
b89a8333Snatalie li - Sun Microsystems - Irvine United States *
b89a8333Snatalie li - Sun Microsystems - Irvine United States * This method gets the IP address by doing a host name lookup.
b89a8333Snatalie li - Sun Microsystems - Irvine United States */
b89a8333Snatalie li - Sun Microsystems - Irvine United Statesstatic int
b89a8333Snatalie li - Sun Microsystems - Irvine United Statessmb_ads_getipnodebyname(smb_ads_host_info_t *hentry)
b89a8333Snatalie li - Sun Microsystems - Irvine United States{
b89a8333Snatalie li - Sun Microsystems - Irvine United States	struct hostent *h;
b89a8333Snatalie li - Sun Microsystems - Irvine United States	int error;
b89a8333Snatalie li - Sun Microsystems - Irvine United States
7f667e74Sjose borrego	switch (hentry->ipaddr.a_family) {
7f667e74Sjose borrego	case AF_INET6:
7f667e74Sjose borrego		h = getipnodebyname(hentry->name, hentry->ipaddr.a_family,
7f667e74Sjose borrego		    AI_DEFAULT, &error);
*b819cea2SGordon Ross		if (h == NULL || h->h_length != NS_IN6ADDRSZ)
b89a8333Snatalie li - Sun Microsystems - Irvine United States			return (-1);
7f667e74Sjose borrego		break;
b89a8333Snatalie li - Sun Microsystems - Irvine United States
7f667e74Sjose borrego	case AF_INET:
7f667e74Sjose borrego		h = getipnodebyname(hentry->name, hentry->ipaddr.a_family,
7f667e74Sjose borrego		    0, &error);
*b819cea2SGordon Ross		if (h == NULL || h->h_length != NS_INADDRSZ)
7f667e74Sjose borrego			return (-1);
7f667e74Sjose borrego		break;
b89a8333Snatalie li - Sun Microsystems - Irvine United States
7f667e74Sjose borrego	default:
7f667e74Sjose borrego		return (-1);
7f667e74Sjose borrego	}
7f667e74Sjose borrego	bcopy(*(h->h_addr_list), &hentry->ipaddr.a_ip, h->h_length);
b89a8333Snatalie li - Sun Microsystems - Irvine United States	freehostent(h);
b89a8333Snatalie li - Sun Microsystems - Irvine United States	return (0);
b89a8333Snatalie li - Sun Microsystems - Irvine United States}
b89a8333Snatalie li - Sun Microsystems - Irvine United States
b89a8333Snatalie li - Sun Microsystems - Irvine United States/*
96a62adaSjoyce mcintosh *  Checks the IP address to see if it is zero.  If so, then do a host
96a62adaSjoyce mcintosh *  lookup by hostname to get the IP address based on the IP family.
96a62adaSjoyce mcintosh *
96a62adaSjoyce mcintosh *  If the family is unknown then do a lookup by hostame based on the
96a62adaSjoyce mcintosh *  setting of the SMB_CI_IPV6_ENABLE property.
96a62adaSjoyce mcintosh */
96a62adaSjoyce mcintoshstatic int
96a62adaSjoyce mcintoshsmb_ads_set_ipaddr(smb_ads_host_info_t *hentry)
96a62adaSjoyce mcintosh{
96a62adaSjoyce mcintosh	if (smb_inet_iszero(&hentry->ipaddr)) {
96a62adaSjoyce mcintosh		if (smb_ads_getipnodebyname(hentry) < 0)
96a62adaSjoyce mcintosh			return (-1);
96a62adaSjoyce mcintosh	} else if (SMB_ADS_AF_UNKNOWN(hentry)) {
96a62adaSjoyce mcintosh		hentry->ipaddr.a_family =
96a62adaSjoyce mcintosh		    smb_config_getbool(SMB_CI_IPV6_ENABLE) ? AF_INET6 : AF_INET;
96a62adaSjoyce mcintosh
96a62adaSjoyce mcintosh		if (smb_ads_getipnodebyname(hentry) < 0) {
96a62adaSjoyce mcintosh			hentry->ipaddr.a_family = 0;
96a62adaSjoyce mcintosh			return (-1);
96a62adaSjoyce mcintosh		}
96a62adaSjoyce mcintosh	}
96a62adaSjoyce mcintosh
96a62adaSjoyce mcintosh	return (0);
96a62adaSjoyce mcintosh}
96a62adaSjoyce mcintosh
96a62adaSjoyce mcintosh/*
b89a8333Snatalie li - Sun Microsystems - Irvine United States * smb_ads_find_host
b89a8333Snatalie li - Sun Microsystems - Irvine United States *
29bd2886SAlan Wright * Finds an ADS host in a given domain.
29bd2886SAlan Wright *
29bd2886SAlan Wright * If the cached host is valid, it will be used. Otherwise, a DC will
29bd2886SAlan Wright * be selected based on the following criteria:
29bd2886SAlan Wright *
29bd2886SAlan Wright * 1) pdc (aka preferred DC) configuration
29bd2886SAlan Wright * 2) AD site configuration - the scope of the DNS lookup will be
29bd2886SAlan Wright * restricted to the specified site.
29bd2886SAlan Wright * 3) DC on the same subnet
29bd2886SAlan Wright * 4) DC with the lowest priority/highest weight
29bd2886SAlan Wright *
29bd2886SAlan Wright * The above items are listed in decreasing preference order. The selected
29bd2886SAlan Wright * DC must be online.
29bd2886SAlan Wright *
29bd2886SAlan Wright * If this function is called during domain join, the specified kpasswd server
29bd2886SAlan Wright * takes precedence over preferred DC, AD site, and so on.
b89a8333Snatalie li - Sun Microsystems - Irvine United States *
b89a8333Snatalie li - Sun Microsystems - Irvine United States * Parameters:
29bd2886SAlan Wright *   domain: fully-qualified domain name.
29bd2886SAlan Wright *   kpasswd_srv: fully-quailifed hostname of the kpasswd server.
b89a8333Snatalie li - Sun Microsystems - Irvine United States *
b89a8333Snatalie li - Sun Microsystems - Irvine United States * Returns:
29bd2886SAlan Wright *   A copy of the cached host info is returned. The caller is responsible
29bd2886SAlan Wright *   for deallocating the memory returned by this function.
b89a8333Snatalie li - Sun Microsystems - Irvine United States */
b89a8333Snatalie li - Sun Microsystems - Irvine United States/*ARGSUSED*/
b89a8333Snatalie li - Sun Microsystems - Irvine United Statessmb_ads_host_info_t *
29bd2886SAlan Wrightsmb_ads_find_host(char *domain, char *kpasswd_srv)
b89a8333Snatalie li - Sun Microsystems - Irvine United States{
b89a8333Snatalie li - Sun Microsystems - Irvine United States	int i;
b89a8333Snatalie li - Sun Microsystems - Irvine United States	char site_service[MAXHOSTNAMELEN];
29bd2886SAlan Wright	smb_ads_host_list_t *hlist, *hlist2;
29bd2886SAlan Wright	smb_ads_host_info_t *hlistp = NULL, *host = NULL;
29bd2886SAlan Wright	smb_ads_host_info_t *found_kpasswd_srv = NULL;
29bd2886SAlan Wright	smb_ads_host_info_t *found_pdc = NULL;
b89a8333Snatalie li - Sun Microsystems - Irvine United States
29bd2886SAlan Wright	if ((kpasswd_srv) && (*kpasswd_srv == '\0'))
29bd2886SAlan Wright		kpasswd_srv = NULL;
b89a8333Snatalie li - Sun Microsystems - Irvine United States
29bd2886SAlan Wright	(void) mutex_lock(&smb_ads_cached_host_mtx);
29bd2886SAlan Wright	if (smb_ads_validate_cache_host(domain, kpasswd_srv)) {
29bd2886SAlan Wright		host = smb_ads_dup_host_info(smb_ads_cached_host_info);
29bd2886SAlan Wright		(void) mutex_unlock(&smb_ads_cached_host_mtx);
b89a8333Snatalie li - Sun Microsystems - Irvine United States		return (host);
b89a8333Snatalie li - Sun Microsystems - Irvine United States	}
b89a8333Snatalie li - Sun Microsystems - Irvine United States
29bd2886SAlan Wright	(void) mutex_unlock(&smb_ads_cached_host_mtx);
b89a8333Snatalie li - Sun Microsystems - Irvine United States	smb_ads_free_cached_host();
b89a8333Snatalie li - Sun Microsystems - Irvine United States
b89a8333Snatalie li - Sun Microsystems - Irvine United States	/*
b89a8333Snatalie li - Sun Microsystems - Irvine United States	 * First look for ADS hosts in ADS site if configured.  Then try
b89a8333Snatalie li - Sun Microsystems - Irvine United States	 * without ADS site info.
b89a8333Snatalie li - Sun Microsystems - Irvine United States	 */
fc724630SAlan Wright	hlist = NULL;
fc724630SAlan Wright	smb_ads_get_site_service(site_service, MAXHOSTNAMELEN);
29bd2886SAlan Wright
29bd2886SAlan Wright	/*
29bd2886SAlan Wright	 * If we're given an AD, the DNS SRV RR lookup should not be restricted
29bd2886SAlan Wright	 * to the specified site since there is no guarantee that the specified
29bd2886SAlan Wright	 * AD is in the specified site.
29bd2886SAlan Wright	 */
29bd2886SAlan Wright	if (*site_service != '\0' && !kpasswd_srv &&
29bd2886SAlan Wright	    !smb_ads_is_pdc_configured())
fc724630SAlan Wright		hlist = smb_ads_query_dns_server(domain, site_service);
b89a8333Snatalie li - Sun Microsystems - Irvine United States
fc724630SAlan Wright	if (!hlist)
fc724630SAlan Wright		hlist = smb_ads_query_dns_server(domain,
fc724630SAlan Wright		    SMB_ADS_MSDCS_SRV_DC_RR);
b89a8333Snatalie li - Sun Microsystems - Irvine United States
b89a8333Snatalie li - Sun Microsystems - Irvine United States	if ((hlist == NULL) || (hlist->ah_list == NULL) || (hlist->ah_cnt == 0))
b89a8333Snatalie li - Sun Microsystems - Irvine United States		return (NULL);
b89a8333Snatalie li - Sun Microsystems - Irvine United States
29bd2886SAlan Wright	for (i = 0, hlistp = hlist->ah_list; i < hlist->ah_cnt; i++) {
96a62adaSjoyce mcintosh		if (smb_ads_set_ipaddr(&hlistp[i]) < 0)
b89a8333Snatalie li - Sun Microsystems - Irvine United States			continue;
b89a8333Snatalie li - Sun Microsystems - Irvine United States
29bd2886SAlan Wright		if (smb_ads_is_sought_host(&hlistp[i], kpasswd_srv))
29bd2886SAlan Wright			found_kpasswd_srv = &hlistp[i];
29bd2886SAlan Wright
29bd2886SAlan Wright		if (smb_ads_match_pdc(&hlistp[i]))
29bd2886SAlan Wright			found_pdc = &hlistp[i];
29bd2886SAlan Wright	}
29bd2886SAlan Wright
29bd2886SAlan Wright	if (found_kpasswd_srv && smb_ads_ldap_ping(found_kpasswd_srv) == 0) {
29bd2886SAlan Wright		host = found_kpasswd_srv;
29bd2886SAlan Wright		goto update_cache;
29bd2886SAlan Wright	}
29bd2886SAlan Wright
29bd2886SAlan Wright	if (found_pdc && smb_ads_ldap_ping(found_pdc) == 0) {
29bd2886SAlan Wright		host = found_pdc;
29bd2886SAlan Wright		goto update_cache;
29bd2886SAlan Wright	}
29bd2886SAlan Wright
29bd2886SAlan Wright	/*
29bd2886SAlan Wright	 * If the specified DC (kpasswd_srv or pdc) is not found, fallback
29bd2886SAlan Wright	 * to find a DC in the specified AD site.
29bd2886SAlan Wright	 */
29bd2886SAlan Wright	if (*site_service != '\0' &&
29bd2886SAlan Wright	    (kpasswd_srv || smb_ads_is_pdc_configured())) {
29bd2886SAlan Wright		hlist2 = smb_ads_query_dns_server(domain, site_service);
29bd2886SAlan Wright		if (hlist2 && hlist2->ah_list && hlist2->ah_cnt != 0) {
b89a8333Snatalie li - Sun Microsystems - Irvine United States			smb_ads_hlist_free(hlist);
29bd2886SAlan Wright			hlist = hlist2;
29bd2886SAlan Wright			hlistp = hlist->ah_list;
29bd2886SAlan Wright
96a62adaSjoyce mcintosh			for (i = 0; i < hlist->ah_cnt; i++)
96a62adaSjoyce mcintosh				(void) smb_ads_set_ipaddr(&hlistp[i]);
b89a8333Snatalie li - Sun Microsystems - Irvine United States		}
b89a8333Snatalie li - Sun Microsystems - Irvine United States	}
b89a8333Snatalie li - Sun Microsystems - Irvine United States
b89a8333Snatalie li - Sun Microsystems - Irvine United States	/* Select DC from DC list */
29bd2886SAlan Wright	host = smb_ads_select_dc(hlist);
29bd2886SAlan Wright
29bd2886SAlan Wrightupdate_cache:
29bd2886SAlan Wright	if (host) {
29bd2886SAlan Wright		(void) mutex_lock(&smb_ads_cached_host_mtx);
29bd2886SAlan Wright		if (!smb_ads_cached_host_info)
29bd2886SAlan Wright			smb_ads_cached_host_info = smb_ads_dup_host_info(host);
29bd2886SAlan Wright		host = smb_ads_dup_host_info(smb_ads_cached_host_info);
29bd2886SAlan Wright		(void) mutex_unlock(&smb_ads_cached_host_mtx);
b89a8333Snatalie li - Sun Microsystems - Irvine United States	}
b89a8333Snatalie li - Sun Microsystems - Irvine United States
b89a8333Snatalie li - Sun Microsystems - Irvine United States	smb_ads_hlist_free(hlist);
29bd2886SAlan Wright	return (host);
b89a8333Snatalie li - Sun Microsystems - Irvine United States}
b89a8333Snatalie li - Sun Microsystems - Irvine United States
b89a8333Snatalie li - Sun Microsystems - Irvine United States/*
b89a8333Snatalie li - Sun Microsystems - Irvine United States * Return the number of dots in a string.
b89a8333Snatalie li - Sun Microsystems - Irvine United States */
b89a8333Snatalie li - Sun Microsystems - Irvine United Statesstatic int
b89a8333Snatalie li - Sun Microsystems - Irvine United Statessmb_ads_count_dots(const char *s)
b89a8333Snatalie li - Sun Microsystems - Irvine United States{
b89a8333Snatalie li - Sun Microsystems - Irvine United States	int ndots = 0;
b89a8333Snatalie li - Sun Microsystems - Irvine United States
b89a8333Snatalie li - Sun Microsystems - Irvine United States	while (*s) {
b89a8333Snatalie li - Sun Microsystems - Irvine United States		if (*s++ == '.')
b89a8333Snatalie li - Sun Microsystems - Irvine United States			ndots++;
b89a8333Snatalie li - Sun Microsystems - Irvine United States	}
b89a8333Snatalie li - Sun Microsystems - Irvine United States
b89a8333Snatalie li - Sun Microsystems - Irvine United States	return (ndots);
b89a8333Snatalie li - Sun Microsystems - Irvine United States}
b89a8333Snatalie li - Sun Microsystems - Irvine United States
b89a8333Snatalie li - Sun Microsystems - Irvine United States/*
b89a8333Snatalie li - Sun Microsystems - Irvine United States * Convert a domain name in dot notation to distinguished name format,
b89a8333Snatalie li - Sun Microsystems - Irvine United States * for example: sun.com -> dc=sun,dc=com.
b89a8333Snatalie li - Sun Microsystems - Irvine United States *
b89a8333Snatalie li - Sun Microsystems - Irvine United States * Returns a pointer to an allocated buffer containing the distinguished
b89a8333Snatalie li - Sun Microsystems - Irvine United States * name.
b89a8333Snatalie li - Sun Microsystems - Irvine United States */
b89a8333Snatalie li - Sun Microsystems - Irvine United Statesstatic char *
b89a8333Snatalie li - Sun Microsystems - Irvine United Statessmb_ads_convert_domain(const char *domain_name)
b89a8333Snatalie li - Sun Microsystems - Irvine United States{
b89a8333Snatalie li - Sun Microsystems - Irvine United States	const char *s;
b89a8333Snatalie li - Sun Microsystems - Irvine United States	char *dn_name;
b89a8333Snatalie li - Sun Microsystems - Irvine United States	char buf[2];
b89a8333Snatalie li - Sun Microsystems - Irvine United States	int ndots;
b89a8333Snatalie li - Sun Microsystems - Irvine United States	int len;
b89a8333Snatalie li - Sun Microsystems - Irvine United States
b89a8333Snatalie li - Sun Microsystems - Irvine United States	if (domain_name == NULL || *domain_name == 0)
b89a8333Snatalie li - Sun Microsystems - Irvine United States		return (NULL);
b89a8333Snatalie li - Sun Microsystems - Irvine United States
b89a8333Snatalie li - Sun Microsystems - Irvine United States	ndots = smb_ads_count_dots(domain_name);
b89a8333Snatalie li - Sun Microsystems - Irvine United States	++ndots;
b89a8333Snatalie li - Sun Microsystems - Irvine United States	len = strlen(domain_name) + (ndots * SMB_ADS_DN_PREFIX_LEN) + 1;
b89a8333Snatalie li - Sun Microsystems - Irvine United States
b89a8333Snatalie li - Sun Microsystems - Irvine United States	if ((dn_name = malloc(len)) == NULL)
b89a8333Snatalie li - Sun Microsystems - Irvine United States		return (NULL);
b89a8333Snatalie li - Sun Microsystems - Irvine United States
b89a8333Snatalie li - Sun Microsystems - Irvine United States	bzero(dn_name, len);
b89a8333Snatalie li - Sun Microsystems - Irvine United States	(void) strlcpy(dn_name, "dc=", len);
b89a8333Snatalie li - Sun Microsystems - Irvine United States
b89a8333Snatalie li - Sun Microsystems - Irvine United States	buf[1] = '\0';
b89a8333Snatalie li - Sun Microsystems - Irvine United States	s = domain_name;
b89a8333Snatalie li - Sun Microsystems - Irvine United States
b89a8333Snatalie li - Sun Microsystems - Irvine United States	while (*s) {
b89a8333Snatalie li - Sun Microsystems - Irvine United States		if (*s == '.') {
b89a8333Snatalie li - Sun Microsystems - Irvine United States			(void) strlcat(dn_name, ",dc=", len);
b89a8333Snatalie li - Sun Microsystems - Irvine United States		} else {
b89a8333Snatalie li - Sun Microsystems - Irvine United States			buf[0] = *s;
b89a8333Snatalie li - Sun Microsystems - Irvine United States			(void) strlcat(dn_name, buf, len);
b89a8333Snatalie li - Sun Microsystems - Irvine United States		}
b89a8333Snatalie li - Sun Microsystems - Irvine United States		++s;
b89a8333Snatalie li - Sun Microsystems - Irvine United States	}
b89a8333Snatalie li - Sun Microsystems - Irvine United States
b89a8333Snatalie li - Sun Microsystems - Irvine United States	return (dn_name);
b89a8333Snatalie li - Sun Microsystems - Irvine United States}
b89a8333Snatalie li - Sun Microsystems - Irvine United States
b89a8333Snatalie li - Sun Microsystems - Irvine United States/*
b89a8333Snatalie li - Sun Microsystems - Irvine United States * smb_ads_free_cached_host
b89a8333Snatalie li - Sun Microsystems - Irvine United States *
b89a8333Snatalie li - Sun Microsystems - Irvine United States * Free the memory use by the global smb_ads_cached_host_info & set it to NULL.
b89a8333Snatalie li - Sun Microsystems - Irvine United States */
b89a8333Snatalie li - Sun Microsystems - Irvine United Statesstatic void
b89a8333Snatalie li - Sun Microsystems - Irvine United Statessmb_ads_free_cached_host(void)
b89a8333Snatalie li - Sun Microsystems - Irvine United States{
b89a8333Snatalie li - Sun Microsystems - Irvine United States	(void) mutex_lock(&smb_ads_cached_host_mtx);
b89a8333Snatalie li - Sun Microsystems - Irvine United States	if (smb_ads_cached_host_info) {
b89a8333Snatalie li - Sun Microsystems - Irvine United States		free(smb_ads_cached_host_info);
b89a8333Snatalie li - Sun Microsystems - Irvine United States		smb_ads_cached_host_info = NULL;
b89a8333Snatalie li - Sun Microsystems - Irvine United States	}
b89a8333Snatalie li - Sun Microsystems - Irvine United States	(void) mutex_unlock(&smb_ads_cached_host_mtx);
da6c28aaSamw}
da6c28aaSamw
da6c28aaSamw/*
3db3f65cSamw * smb_ads_open
55bf511dSas200622 * Open a LDAP connection to an ADS server if the system is in domain mode.
55bf511dSas200622 * Acquire both Kerberos TGT and LDAP service tickets for the host principal.
55bf511dSas200622 *
55bf511dSas200622 * This function should only be called after the system is successfully joined
55bf511dSas200622 * to a domain.
55bf511dSas200622 */
3db3f65cSamwsmb_ads_handle_t *
3db3f65cSamwsmb_ads_open(void)
55bf511dSas200622{
dc20a302Sas200622	char domain[MAXHOSTNAMELEN];
55bf511dSas200622
dc20a302Sas200622	if (smb_config_get_secmode() != SMB_SECMODE_DOMAIN)
55bf511dSas200622		return (NULL);
55bf511dSas200622
dc20a302Sas200622	if (smb_getfqdomainname(domain, MAXHOSTNAMELEN) != 0)
dc20a302Sas200622		return (NULL);
dc20a302Sas200622
3db3f65cSamw	return (smb_ads_open_main(domain, NULL, NULL));
55bf511dSas200622}
55bf511dSas200622
a0aa776eSAlan Wrightstatic int
a0aa776eSAlan Wrightsmb_ads_saslcallback(LDAP *ld, unsigned flags, void *defaults, void *prompts)
a0aa776eSAlan Wright{
a0aa776eSAlan Wright	NOTE(ARGUNUSED(ld, defaults));
a0aa776eSAlan Wright	sasl_interact_t *interact;
a0aa776eSAlan Wright
a0aa776eSAlan Wright	if (prompts == NULL || flags != LDAP_SASL_INTERACTIVE)
a0aa776eSAlan Wright		return (LDAP_PARAM_ERROR);
a0aa776eSAlan Wright
a0aa776eSAlan Wright	/* There should be no extra arguemnts for SASL/GSSAPI authentication */
a0aa776eSAlan Wright	for (interact = prompts; interact->id != SASL_CB_LIST_END;
a0aa776eSAlan Wright	    interact++) {
a0aa776eSAlan Wright		interact->result = NULL;
a0aa776eSAlan Wright		interact->len = 0;
a0aa776eSAlan Wright	}
a0aa776eSAlan Wright	return (LDAP_SUCCESS);
a0aa776eSAlan Wright}
a0aa776eSAlan Wright
55bf511dSas200622/*
3db3f65cSamw * smb_ads_open_main
da6c28aaSamw * Open a LDAP connection to an ADS server.
55bf511dSas200622 * If ADS is enabled and the administrative username, password, and
da6c28aaSamw * ADS domain are defined then query DNS to find an ADS server if this is the
da6c28aaSamw * very first call to this routine.  After an ADS server is found then this
da6c28aaSamw * server will be used everytime this routine is called until the system is
da6c28aaSamw * rebooted or the ADS server becomes unavailable then an ADS server will
3db3f65cSamw * be queried again.  After the connection is made then an ADS handle
da6c28aaSamw * is created to be returned.
da6c28aaSamw *
da6c28aaSamw * After the LDAP connection, the LDAP version will be set to 3 using
da6c28aaSamw * ldap_set_option().
da6c28aaSamw *
a0aa776eSAlan Wright * The LDAP connection is bound before the ADS handle is returned.
da6c28aaSamw * Parameters:
dc20a302Sas200622 *   domain - fully-qualified domain name
dc20a302Sas200622 *   user   - the user account for whom the Kerberos TGT ticket and ADS
dc20a302Sas200622 *            service tickets are acquired.
dc20a302Sas200622 *   password - password of the specified user
dc20a302Sas200622 *
da6c28aaSamw * Returns:
da6c28aaSamw *   NULL              : can't connect to ADS server or other errors
3db3f65cSamw *   smb_ads_handle_t* : handle to ADS server
da6c28aaSamw */
3db3f65cSamwstatic smb_ads_handle_t *
3db3f65cSamwsmb_ads_open_main(char *domain, char *user, char *password)
da6c28aaSamw{
3db3f65cSamw	smb_ads_handle_t *ah;
da6c28aaSamw	LDAP *ld;
b89a8333Snatalie li - Sun Microsystems - Irvine United States	int version = 3;
3db3f65cSamw	smb_ads_host_info_t *ads_host = NULL;
a0aa776eSAlan Wright	int rc;
a0aa776eSAlan Wright
a0aa776eSAlan Wright	if (user != NULL) {
a0aa776eSAlan Wright		if (smb_kinit(user, password) == 0)
a0aa776eSAlan Wright			return (NULL);
a0aa776eSAlan Wright		user = NULL;
a0aa776eSAlan Wright		password = NULL;
a0aa776eSAlan Wright	}
da6c28aaSamw
b89a8333Snatalie li - Sun Microsystems - Irvine United States	ads_host = smb_ads_find_host(domain, NULL);
b89a8333Snatalie li - Sun Microsystems - Irvine United States	if (ads_host == NULL)
da6c28aaSamw		return (NULL);
b89a8333Snatalie li - Sun Microsystems - Irvine United States
3db3f65cSamw	ah = (smb_ads_handle_t *)malloc(sizeof (smb_ads_handle_t));
29bd2886SAlan Wright	if (ah == NULL) {
29bd2886SAlan Wright		free(ads_host);
da6c28aaSamw		return (NULL);
29bd2886SAlan Wright	}
29bd2886SAlan Wright
3db3f65cSamw	(void) memset(ah, 0, sizeof (smb_ads_handle_t));
da6c28aaSamw
7f667e74Sjose borrego	if ((ld = ldap_init(ads_host->name, ads_host->port)) == NULL) {
b89a8333Snatalie li - Sun Microsystems - Irvine United States		smb_ads_free_cached_host();
da6c28aaSamw		free(ah);
29bd2886SAlan Wright		free(ads_host);
da6c28aaSamw		return (NULL);
da6c28aaSamw	}
da6c28aaSamw
da6c28aaSamw	if (ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, &version)
da6c28aaSamw	    != LDAP_SUCCESS) {
b89a8333Snatalie li - Sun Microsystems - Irvine United States		smb_ads_free_cached_host();
da6c28aaSamw		free(ah);
29bd2886SAlan Wright		free(ads_host);
da6c28aaSamw		(void) ldap_unbind(ld);
da6c28aaSamw		return (NULL);
da6c28aaSamw	}
da6c28aaSamw
c8ec8eeaSjose borrego	(void) ldap_set_option(ld, LDAP_OPT_REFERRALS, LDAP_OPT_OFF);
da6c28aaSamw	ah->ld = ld;
da6c28aaSamw	ah->domain = strdup(domain);
da6c28aaSamw
55bf511dSas200622	if (ah->domain == NULL) {
3db3f65cSamw		smb_ads_close(ah);
29bd2886SAlan Wright		free(ads_host);
da6c28aaSamw		return (NULL);
da6c28aaSamw	}
da6c28aaSamw
9fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States	/*
9fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States	 * ah->domain is often used for generating service principal name.
9fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States	 * Convert it to lower case for RFC 4120 section 6.2.1 conformance.
9fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States	 */
9fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States	(void) smb_strlwr(ah->domain);
3db3f65cSamw	ah->domain_dn = smb_ads_convert_domain(domain);
da6c28aaSamw	if (ah->domain_dn == NULL) {
3db3f65cSamw		smb_ads_close(ah);
29bd2886SAlan Wright		free(ads_host);
da6c28aaSamw		return (NULL);
da6c28aaSamw	}
da6c28aaSamw
da6c28aaSamw	ah->hostname = strdup(ads_host->name);
da6c28aaSamw	if (ah->hostname == NULL) {
3db3f65cSamw		smb_ads_close(ah);
29bd2886SAlan Wright		free(ads_host);
da6c28aaSamw		return (NULL);
da6c28aaSamw	}
29bd2886SAlan Wright	(void) mutex_lock(&smb_ads_cfg.c_mtx);
29bd2886SAlan Wright	if (*smb_ads_cfg.c_site != '\0') {
29bd2886SAlan Wright		if ((ah->site = strdup(smb_ads_cfg.c_site)) == NULL) {
3db3f65cSamw			smb_ads_close(ah);
29bd2886SAlan Wright			(void) mutex_unlock(&smb_ads_cfg.c_mtx);
29bd2886SAlan Wright			free(ads_host);
da6c28aaSamw			return (NULL);
da6c28aaSamw		}
da6c28aaSamw	} else {
da6c28aaSamw		ah->site = NULL;
da6c28aaSamw	}
29bd2886SAlan Wright	(void) mutex_unlock(&smb_ads_cfg.c_mtx);
da6c28aaSamw
a0aa776eSAlan Wright	rc = ldap_sasl_interactive_bind_s(ah->ld, "", "GSSAPI", NULL, NULL,
a0aa776eSAlan Wright	    LDAP_SASL_INTERACTIVE, &smb_ads_saslcallback, NULL);
a0aa776eSAlan Wright	if (rc != LDAP_SUCCESS) {
a0aa776eSAlan Wright		syslog(LOG_ERR, "ldal_sasl_interactive_bind_s failed (%s)",
a0aa776eSAlan Wright		    ldap_err2string(rc));
3db3f65cSamw		smb_ads_close(ah);
29bd2886SAlan Wright		free(ads_host);
da6c28aaSamw		return (NULL);
da6c28aaSamw	}
da6c28aaSamw
29bd2886SAlan Wright	free(ads_host);
da6c28aaSamw	return (ah);
da6c28aaSamw}
da6c28aaSamw
da6c28aaSamw/*
3db3f65cSamw * smb_ads_close
da6c28aaSamw * Close connection to ADS server and free memory allocated for ADS handle.
da6c28aaSamw * LDAP unbind is called here.
da6c28aaSamw * Parameters:
da6c28aaSamw *   ah: handle to ADS server
da6c28aaSamw * Returns:
da6c28aaSamw *   void
da6c28aaSamw */
da6c28aaSamwvoid
3db3f65cSamwsmb_ads_close(smb_ads_handle_t *ah)
da6c28aaSamw{
da6c28aaSamw	if (ah == NULL)
da6c28aaSamw		return;
da6c28aaSamw	/* close and free connection resources */
da6c28aaSamw	if (ah->ld)
da6c28aaSamw		(void) ldap_unbind(ah->ld);
da6c28aaSamw
da6c28aaSamw	free(ah->domain);
da6c28aaSamw	free(ah->domain_dn);
da6c28aaSamw	free(ah->hostname);
da6c28aaSamw	free(ah->site);
da6c28aaSamw	free(ah);
da6c28aaSamw}
da6c28aaSamw
da6c28aaSamw/*
3db3f65cSamw * smb_ads_alloc_attr
6537f381Sas200622 *
6537f381Sas200622 * Since the attrs is a null-terminated array, all elements
6537f381Sas200622 * in the array (except the last one) will point to allocated
6537f381Sas200622 * memory.
6537f381Sas200622 */
6537f381Sas200622static int
3db3f65cSamwsmb_ads_alloc_attr(LDAPMod *attrs[], int num)
6537f381Sas200622{
6537f381Sas200622	int i;
6537f381Sas200622
6537f381Sas200622	bzero(attrs, num * sizeof (LDAPMod *));
6537f381Sas200622	for (i = 0; i < (num - 1); i++) {
6537f381Sas200622		attrs[i] = (LDAPMod *)malloc(sizeof (LDAPMod));
6537f381Sas200622		if (attrs[i] == NULL) {
3db3f65cSamw			smb_ads_free_attr(attrs);
6537f381Sas200622			return (-1);
6537f381Sas200622		}
6537f381Sas200622	}
6537f381Sas200622
6537f381Sas200622	return (0);
6537f381Sas200622}
6537f381Sas200622
6537f381Sas200622/*
3db3f65cSamw * smb_ads_free_attr
da6c28aaSamw * Free memory allocated when publishing a share.
da6c28aaSamw * Parameters:
55bf511dSas200622 *   attrs: an array of LDAPMod pointers
da6c28aaSamw * Returns:
da6c28aaSamw *   None
da6c28aaSamw */
da6c28aaSamwstatic void
3db3f65cSamwsmb_ads_free_attr(LDAPMod *attrs[])
da6c28aaSamw{
da6c28aaSamw	int i;
55bf511dSas200622	for (i = 0; attrs[i]; i++) {
55bf511dSas200622		free(attrs[i]);
da6c28aaSamw	}
da6c28aaSamw}
da6c28aaSamw
da6c28aaSamw/*
fe1c642dSBill Krier * Returns share DN in an allocated buffer.  The format of the DN is
fe1c642dSBill Krier * cn=<sharename>,<container RDNs>,<domain DN>
fe1c642dSBill Krier *
fe1c642dSBill Krier * If the domain DN is not included in the container parameter,
fe1c642dSBill Krier * then it will be appended to create the share DN.
fe1c642dSBill Krier *
fe1c642dSBill Krier * The caller must free the allocated buffer.
fe1c642dSBill Krier */
fe1c642dSBill Krierstatic char *
fe1c642dSBill Kriersmb_ads_get_sharedn(const char *sharename, const char *container,
fe1c642dSBill Krier    const char *domain_dn)
fe1c642dSBill Krier{
fe1c642dSBill Krier	char *share_dn;
fe1c642dSBill Krier	int rc, offset, container_len, domain_len;
fe1c642dSBill Krier	boolean_t append_domain = B_TRUE;
fe1c642dSBill Krier
fe1c642dSBill Krier	container_len = strlen(container);
fe1c642dSBill Krier	domain_len = strlen(domain_dn);
fe1c642dSBill Krier
fe1c642dSBill Krier	if (container_len >= domain_len) {
fe1c642dSBill Krier
fe1c642dSBill Krier		/* offset to last domain_len characters */
fe1c642dSBill Krier		offset = container_len - domain_len;
fe1c642dSBill Krier
fe1c642dSBill Krier		if (smb_strcasecmp(container + offset,
fe1c642dSBill Krier		    domain_dn, domain_len) == 0)
fe1c642dSBill Krier			append_domain = B_FALSE;
fe1c642dSBill Krier	}
fe1c642dSBill Krier
fe1c642dSBill Krier	if (append_domain)
fe1c642dSBill Krier		rc = asprintf(&share_dn, "cn=%s,%s,%s", sharename,
fe1c642dSBill Krier		    container, domain_dn);
fe1c642dSBill Krier	else
fe1c642dSBill Krier		rc = asprintf(&share_dn, "cn=%s,%s", sharename,
fe1c642dSBill Krier		    container);
fe1c642dSBill Krier
fe1c642dSBill Krier	return ((rc == -1) ? NULL : share_dn);
fe1c642dSBill Krier}
fe1c642dSBill Krier
fe1c642dSBill Krier/*
3db3f65cSamw * smb_ads_add_share
3db3f65cSamw * Call by smb_ads_publish_share to create share object in ADS.
da6c28aaSamw * This routine specifies the attributes of an ADS LDAP share object. The first
da6c28aaSamw * attribute and values define the type of ADS object, the share object.  The
da6c28aaSamw * second attribute and value define the UNC of the share data for the share
da6c28aaSamw * object. The LDAP synchronous add command is used to add the object into ADS.
da6c28aaSamw * The container location to add the object needs to specified.
da6c28aaSamw * Parameters:
da6c28aaSamw *   ah          : handle to ADS server
da6c28aaSamw *   adsShareName: name of share object to be created in ADS
da6c28aaSamw *   shareUNC    : share name on NetForce
da6c28aaSamw *   adsContainer: location in ADS to create share object
da6c28aaSamw *
da6c28aaSamw * Returns:
da6c28aaSamw *   -1          : error
da6c28aaSamw *    0          : success
da6c28aaSamw */
da6c28aaSamwint
3db3f65cSamwsmb_ads_add_share(smb_ads_handle_t *ah, const char *adsShareName,
da6c28aaSamw    const char *unc_name, const char *adsContainer)
da6c28aaSamw{
3db3f65cSamw	LDAPMod *attrs[SMB_ADS_SHARE_NUM_ATTR];
55bf511dSas200622	int j = 0;
da6c28aaSamw	char *share_dn;
fe1c642dSBill Krier	int ret;
7f667e74Sjose borrego	char *unc_names[] = {(char *)unc_name, NULL};
da6c28aaSamw
fe1c642dSBill Krier	if ((share_dn = smb_ads_get_sharedn(adsShareName, adsContainer,
fe1c642dSBill Krier	    ah->domain_dn)) == NULL)
da6c28aaSamw		return (-1);
da6c28aaSamw
3db3f65cSamw	if (smb_ads_alloc_attr(attrs, SMB_ADS_SHARE_NUM_ATTR) != 0) {
55bf511dSas200622		free(share_dn);
55bf511dSas200622		return (-1);
55bf511dSas200622	}
55bf511dSas200622
55bf511dSas200622	attrs[j]->mod_op = LDAP_MOD_ADD;
55bf511dSas200622	attrs[j]->mod_type = "objectClass";
7f667e74Sjose borrego	attrs[j]->mod_values = smb_ads_share_objcls;
da6c28aaSamw
55bf511dSas200622	attrs[++j]->mod_op = LDAP_MOD_ADD;
55bf511dSas200622	attrs[j]->mod_type = "uNCName";
7f667e74Sjose borrego	attrs[j]->mod_values = unc_names;
da6c28aaSamw
55bf511dSas200622	if ((ret = ldap_add_s(ah->ld, share_dn, attrs)) != LDAP_SUCCESS) {
9fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States		if (ret == LDAP_NO_SUCH_OBJECT) {
9fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States			syslog(LOG_ERR, "Failed to publish share %s in" \
9fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States			    " AD.  Container does not exist: %s.\n",
9fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States			    adsShareName, share_dn);
9fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States
9fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States		} else {
9fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States			syslog(LOG_ERR, "Failed to publish share %s in" \
9fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States			    " AD: %s (%s).\n", adsShareName, share_dn,
9fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States			    ldap_err2string(ret));
9fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States		}
3db3f65cSamw		smb_ads_free_attr(attrs);
da6c28aaSamw		free(share_dn);
da6c28aaSamw		return (ret);
da6c28aaSamw	}
da6c28aaSamw	free(share_dn);
3db3f65cSamw	smb_ads_free_attr(attrs);
da6c28aaSamw
da6c28aaSamw	return (0);
da6c28aaSamw}
da6c28aaSamw
da6c28aaSamw/*
3db3f65cSamw * smb_ads_del_share
3db3f65cSamw * Call by smb_ads_remove_share to remove share object from ADS.  The container
da6c28aaSamw * location to remove the object needs to specified.  The LDAP synchronous
da6c28aaSamw * delete command is used.
da6c28aaSamw * Parameters:
da6c28aaSamw *   ah          : handle to ADS server
da6c28aaSamw *   adsShareName: name of share object in ADS to be removed
da6c28aaSamw *   adsContainer: location of share object in ADS
da6c28aaSamw * Returns:
da6c28aaSamw *   -1          : error
da6c28aaSamw *    0          : success
da6c28aaSamw */
da6c28aaSamwstatic int
3db3f65cSamwsmb_ads_del_share(smb_ads_handle_t *ah, const char *adsShareName,
da6c28aaSamw    const char *adsContainer)
da6c28aaSamw{
b89a8333Snatalie li - Sun Microsystems - Irvine United States	char *share_dn;
fe1c642dSBill Krier	int ret;
da6c28aaSamw
fe1c642dSBill Krier	if ((share_dn = smb_ads_get_sharedn(adsShareName, adsContainer,
fe1c642dSBill Krier	    ah->domain_dn)) == NULL)
da6c28aaSamw		return (-1);
da6c28aaSamw
da6c28aaSamw	if ((ret = ldap_delete_s(ah->ld, share_dn)) != LDAP_SUCCESS) {
fc724630SAlan Wright		smb_tracef("ldap_delete: %s", ldap_err2string(ret));
da6c28aaSamw		free(share_dn);
da6c28aaSamw		return (-1);
da6c28aaSamw	}
da6c28aaSamw	free(share_dn);
da6c28aaSamw
da6c28aaSamw	return (0);
da6c28aaSamw}
da6c28aaSamw
da6c28aaSamw
da6c28aaSamw/*
3db3f65cSamw * smb_ads_escape_search_filter_chars
da6c28aaSamw *
da6c28aaSamw * This routine will escape the special characters found in a string
da6c28aaSamw * that will later be passed to the ldap search filter.
da6c28aaSamw *
da6c28aaSamw * RFC 1960 - A String Representation of LDAP Search Filters
da6c28aaSamw * 3.  String Search Filter Definition
da6c28aaSamw * If a value must contain one of the characters '*' OR '(' OR ')',
da6c28aaSamw * these characters
da6c28aaSamw * should be escaped by preceding them with the backslash '\' character.
da6c28aaSamw *
da6c28aaSamw * RFC 2252 - LDAP Attribute Syntax Definitions
da6c28aaSamw * a backslash quoting mechanism is used to escape
da6c28aaSamw * the following separator symbol character (such as "'", "$" or "#") if
da6c28aaSamw * it should occur in that string.
da6c28aaSamw */
da6c28aaSamwstatic int
3db3f65cSamwsmb_ads_escape_search_filter_chars(const char *src, char *dst)
da6c28aaSamw{
3db3f65cSamw	int avail = SMB_ADS_MAXBUFLEN - 1; /* reserve a space for NULL char */
da6c28aaSamw
da6c28aaSamw	if (src == NULL || dst == NULL)
da6c28aaSamw		return (-1);
da6c28aaSamw
da6c28aaSamw	while (*src) {
da6c28aaSamw		if (!avail) {
da6c28aaSamw			*dst = 0;
da6c28aaSamw			return (-1);
da6c28aaSamw		}
da6c28aaSamw
da6c28aaSamw		switch (*src) {
da6c28aaSamw		case '\\':
da6c28aaSamw		case '\'':
da6c28aaSamw		case '$':
da6c28aaSamw		case '#':
da6c28aaSamw		case '*':
da6c28aaSamw		case '(':
da6c28aaSamw		case ')':
da6c28aaSamw			*dst++ = '\\';
da6c28aaSamw			avail--;
da6c28aaSamw			/* fall through */
da6c28aaSamw
da6c28aaSamw		default:
da6c28aaSamw			*dst++ = *src++;
da6c28aaSamw			avail--;
da6c28aaSamw		}
da6c28aaSamw	}
da6c28aaSamw
da6c28aaSamw	*dst = 0;
da6c28aaSamw
da6c28aaSamw	return (0);
da6c28aaSamw}
da6c28aaSamw
da6c28aaSamw/*
3db3f65cSamw * smb_ads_lookup_share
da6c28aaSamw * The search filter is set to search for a specific share name in the
da6c28aaSamw * specified ADS container.  The LDSAP synchronous search command is used.
da6c28aaSamw * Parameters:
da6c28aaSamw *   ah          : handle to ADS server
da6c28aaSamw *   adsShareName: name of share object in ADS to be searched
da6c28aaSamw *   adsContainer: location of share object in ADS
da6c28aaSamw * Returns:
da6c28aaSamw *   -1          : error
da6c28aaSamw *    0          : not found
da6c28aaSamw *    1          : found
da6c28aaSamw */
da6c28aaSamwint
3db3f65cSamwsmb_ads_lookup_share(smb_ads_handle_t *ah, const char *adsShareName,
da6c28aaSamw    const char *adsContainer, char *unc_name)
da6c28aaSamw{
3db3f65cSamw	char *attrs[4], filter[SMB_ADS_MAXBUFLEN];
da6c28aaSamw	char *share_dn;
fe1c642dSBill Krier	int ret;
da6c28aaSamw	LDAPMessage *res;
3db3f65cSamw	char tmpbuf[SMB_ADS_MAXBUFLEN];
da6c28aaSamw
da6c28aaSamw	if (adsShareName == NULL || adsContainer == NULL)
da6c28aaSamw		return (-1);
da6c28aaSamw
fe1c642dSBill Krier	if ((share_dn = smb_ads_get_sharedn(adsShareName, adsContainer,
fe1c642dSBill Krier	    ah->domain_dn)) == NULL)
da6c28aaSamw		return (-1);
da6c28aaSamw
da6c28aaSamw	res = NULL;
da6c28aaSamw	attrs[0] = "cn";
da6c28aaSamw	attrs[1] = "objectClass";
da6c28aaSamw	attrs[2] = "uNCName";
da6c28aaSamw	attrs[3] = NULL;
da6c28aaSamw
3db3f65cSamw	if (smb_ads_escape_search_filter_chars(unc_name, tmpbuf) != 0) {
da6c28aaSamw		free(share_dn);
da6c28aaSamw		return (-1);
da6c28aaSamw	}
da6c28aaSamw
da6c28aaSamw	(void) snprintf(filter, sizeof (filter),
da6c28aaSamw	    "(&(objectClass=volume)(uNCName=%s))", tmpbuf);
da6c28aaSamw
da6c28aaSamw	if ((ret = ldap_search_s(ah->ld, share_dn,
da6c28aaSamw	    LDAP_SCOPE_BASE, filter, attrs, 0, &res)) != LDAP_SUCCESS) {
b89a8333Snatalie li - Sun Microsystems - Irvine United States		if (ret != LDAP_NO_SUCH_OBJECT)
fc724630SAlan Wright			smb_tracef("%s: ldap_search: %s", share_dn,
fc724630SAlan Wright			    ldap_err2string(ret));
b89a8333Snatalie li - Sun Microsystems - Irvine United States
da6c28aaSamw		(void) ldap_msgfree(res);
da6c28aaSamw		free(share_dn);
da6c28aaSamw		return (0);
da6c28aaSamw	}
da6c28aaSamw
da6c28aaSamw	(void) free(share_dn);
da6c28aaSamw
da6c28aaSamw	/* no match is found */
da6c28aaSamw	if (ldap_count_entries(ah->ld, res) == 0) {
da6c28aaSamw		(void) ldap_msgfree(res);
da6c28aaSamw		return (0);
da6c28aaSamw	}
da6c28aaSamw
da6c28aaSamw	/* free the search results */
da6c28aaSamw	(void) ldap_msgfree(res);
da6c28aaSamw
da6c28aaSamw	return (1);
da6c28aaSamw}
da6c28aaSamw
da6c28aaSamw/*
3db3f65cSamw * smb_ads_publish_share
da6c28aaSamw * Publish share into ADS.  If a share name already exist in ADS in the same
da6c28aaSamw * container then the existing share object is removed before adding the new
da6c28aaSamw * share object.
da6c28aaSamw * Parameters:
3db3f65cSamw *   ah          : handle return from smb_ads_open
da6c28aaSamw *   adsShareName: name of share to be added to ADS directory
da6c28aaSamw *   shareUNC    : name of share on client, can be NULL to use the same name
da6c28aaSamw *                 as adsShareName
da6c28aaSamw *   adsContainer: location for share to be added in ADS directory, ie
da6c28aaSamw *                   ou=share_folder
da6c28aaSamw *   uncType     : use UNC_HOSTNAME to use hostname for UNC, use UNC_HOSTADDR
da6c28aaSamw *                   to use host ip addr for UNC.
da6c28aaSamw * Returns:
da6c28aaSamw *   -1          : error
da6c28aaSamw *    0          : success
da6c28aaSamw */
da6c28aaSamwint
3db3f65cSamwsmb_ads_publish_share(smb_ads_handle_t *ah, const char *adsShareName,
da6c28aaSamw    const char *shareUNC, const char *adsContainer, const char *hostname)
da6c28aaSamw{
da6c28aaSamw	int ret;
3db3f65cSamw	char unc_name[SMB_ADS_MAXBUFLEN];
da6c28aaSamw
da6c28aaSamw	if (adsShareName == NULL || adsContainer == NULL)
da6c28aaSamw		return (-1);
da6c28aaSamw
da6c28aaSamw	if (shareUNC == 0 || *shareUNC == 0)
da6c28aaSamw		shareUNC = adsShareName;
da6c28aaSamw
3db3f65cSamw	if (smb_ads_build_unc_name(unc_name, sizeof (unc_name),
b89a8333Snatalie li - Sun Microsystems - Irvine United States	    hostname, shareUNC) < 0)
da6c28aaSamw		return (-1);
da6c28aaSamw
3db3f65cSamw	ret = smb_ads_lookup_share(ah, adsShareName, adsContainer, unc_name);
da6c28aaSamw
da6c28aaSamw	switch (ret) {
da6c28aaSamw	case 1:
3db3f65cSamw		(void) smb_ads_del_share(ah, adsShareName, adsContainer);
3db3f65cSamw		ret = smb_ads_add_share(ah, adsShareName, unc_name,
3db3f65cSamw		    adsContainer);
da6c28aaSamw		break;
da6c28aaSamw
da6c28aaSamw	case 0:
3db3f65cSamw		ret = smb_ads_add_share(ah, adsShareName, unc_name,
3db3f65cSamw		    adsContainer);
b89a8333Snatalie li - Sun Microsystems - Irvine United States		if (ret == LDAP_ALREADY_EXISTS)
da6c28aaSamw			ret = -1;
b89a8333Snatalie li - Sun Microsystems - Irvine United States
da6c28aaSamw		break;
da6c28aaSamw
da6c28aaSamw	case -1:
da6c28aaSamw	default:
da6c28aaSamw		/* return with error code */
da6c28aaSamw		ret = -1;
da6c28aaSamw	}
da6c28aaSamw
da6c28aaSamw	return (ret);
da6c28aaSamw}
da6c28aaSamw
da6c28aaSamw/*
3db3f65cSamw * smb_ads_remove_share
da6c28aaSamw * Remove share from ADS.  A search is done first before explicitly removing
da6c28aaSamw * the share.
da6c28aaSamw * Parameters:
3db3f65cSamw *   ah          : handle return from smb_ads_open
da6c28aaSamw *   adsShareName: name of share to be removed from ADS directory
da6c28aaSamw *   adsContainer: location for share to be removed from ADS directory, ie
da6c28aaSamw *                   ou=share_folder
da6c28aaSamw * Returns:
da6c28aaSamw *   -1          : error
da6c28aaSamw *    0          : success
da6c28aaSamw */
da6c28aaSamwint
3db3f65cSamwsmb_ads_remove_share(smb_ads_handle_t *ah, const char *adsShareName,
3db3f65cSamw    const char *shareUNC, const char *adsContainer, const char *hostname)
da6c28aaSamw{
da6c28aaSamw	int ret;
3db3f65cSamw	char unc_name[SMB_ADS_MAXBUFLEN];
da6c28aaSamw
da6c28aaSamw	if (adsShareName == NULL || adsContainer == NULL)
da6c28aaSamw		return (-1);
da6c28aaSamw	if (shareUNC == 0 || *shareUNC == 0)
da6c28aaSamw		shareUNC = adsShareName;
da6c28aaSamw
3db3f65cSamw	if (smb_ads_build_unc_name(unc_name, sizeof (unc_name),
b89a8333Snatalie li - Sun Microsystems - Irvine United States	    hostname, shareUNC) < 0)
da6c28aaSamw		return (-1);
da6c28aaSamw
3db3f65cSamw	ret = smb_ads_lookup_share(ah, adsShareName, adsContainer, unc_name);
da6c28aaSamw	if (ret == 0)
da6c28aaSamw		return (0);
da6c28aaSamw	if (ret == -1)
da6c28aaSamw		return (-1);
da6c28aaSamw
3db3f65cSamw	return (smb_ads_del_share(ah, adsShareName, adsContainer));
da6c28aaSamw}
da6c28aaSamw
da6c28aaSamw/*
b89a8333Snatalie li - Sun Microsystems - Irvine United States * smb_ads_get_default_comp_container_dn
da6c28aaSamw *
b89a8333Snatalie li - Sun Microsystems - Irvine United States * Build the distinguished name for the default computer conatiner (i.e. the
b89a8333Snatalie li - Sun Microsystems - Irvine United States * pre-defined Computers container).
da6c28aaSamw */
da6c28aaSamwstatic void
b89a8333Snatalie li - Sun Microsystems - Irvine United Statessmb_ads_get_default_comp_container_dn(smb_ads_handle_t *ah, char *buf,
b89a8333Snatalie li - Sun Microsystems - Irvine United States    size_t buflen)
da6c28aaSamw{
b89a8333Snatalie li - Sun Microsystems - Irvine United States	(void) snprintf(buf, buflen, "cn=%s,%s", SMB_ADS_COMPUTERS_CN,
b89a8333Snatalie li - Sun Microsystems - Irvine United States	    ah->domain_dn);
b89a8333Snatalie li - Sun Microsystems - Irvine United States}
da6c28aaSamw
b89a8333Snatalie li - Sun Microsystems - Irvine United States/*
b89a8333Snatalie li - Sun Microsystems - Irvine United States * smb_ads_get_default_comp_dn
b89a8333Snatalie li - Sun Microsystems - Irvine United States *
b89a8333Snatalie li - Sun Microsystems - Irvine United States * Build the distinguished name for this system.
b89a8333Snatalie li - Sun Microsystems - Irvine United States */
b89a8333Snatalie li - Sun Microsystems - Irvine United Statesstatic void
b89a8333Snatalie li - Sun Microsystems - Irvine United Statessmb_ads_get_default_comp_dn(smb_ads_handle_t *ah, char *buf, size_t buflen)
b89a8333Snatalie li - Sun Microsystems - Irvine United States{
b89a8333Snatalie li - Sun Microsystems - Irvine United States	char nbname[NETBIOS_NAME_SZ];
b89a8333Snatalie li - Sun Microsystems - Irvine United States	char container_dn[SMB_ADS_DN_MAX];
b89a8333Snatalie li - Sun Microsystems - Irvine United States
b89a8333Snatalie li - Sun Microsystems - Irvine United States	(void) smb_getnetbiosname(nbname, sizeof (nbname));
b89a8333Snatalie li - Sun Microsystems - Irvine United States	smb_ads_get_default_comp_container_dn(ah, container_dn, SMB_ADS_DN_MAX);
b89a8333Snatalie li - Sun Microsystems - Irvine United States	(void) snprintf(buf, buflen, "cn=%s,%s", nbname, container_dn);
da6c28aaSamw}
da6c28aaSamw
da6c28aaSamw/*
3db3f65cSamw * smb_ads_add_computer
da6c28aaSamw *
da6c28aaSamw * Returns 0 upon success. Otherwise, returns -1.
da6c28aaSamw */
da6c28aaSamwstatic int
c8ec8eeaSjose borregosmb_ads_add_computer(smb_ads_handle_t *ah, int dclevel, char *dn)
da6c28aaSamw{
c8ec8eeaSjose borrego	return (smb_ads_computer_op(ah, LDAP_MOD_ADD, dclevel, dn));
55bf511dSas200622}
55bf511dSas200622
55bf511dSas200622/*
3db3f65cSamw * smb_ads_modify_computer
55bf511dSas200622 *
55bf511dSas200622 * Returns 0 upon success. Otherwise, returns -1.
55bf511dSas200622 */
55bf511dSas200622static int
c8ec8eeaSjose borregosmb_ads_modify_computer(smb_ads_handle_t *ah, int dclevel, char *dn)
55bf511dSas200622{
c8ec8eeaSjose borrego	return (smb_ads_computer_op(ah, LDAP_MOD_REPLACE, dclevel, dn));
3db3f65cSamw}
3db3f65cSamw
3db3f65cSamw/*
3db3f65cSamw * smb_ads_get_dc_level
3db3f65cSamw *
3db3f65cSamw * Returns the functional level of the DC upon success.
3db3f65cSamw * Otherwise, -1 is returned.
3db3f65cSamw */
3db3f65cSamwstatic int
3db3f65cSamwsmb_ads_get_dc_level(smb_ads_handle_t *ah)
3db3f65cSamw{
3db3f65cSamw	LDAPMessage *res, *entry;
3db3f65cSamw	char *attr[2];
3db3f65cSamw	char **vals;
3db3f65cSamw	int rc = -1;
3db3f65cSamw
3db3f65cSamw	res = NULL;
3db3f65cSamw	attr[0] = SMB_ADS_ATTR_DCLEVEL;
3db3f65cSamw	attr[1] = NULL;
3db3f65cSamw	if (ldap_search_s(ah->ld, "", LDAP_SCOPE_BASE, NULL, attr,
3db3f65cSamw	    0, &res) != LDAP_SUCCESS) {
3db3f65cSamw		(void) ldap_msgfree(res);
3db3f65cSamw		return (-1);
3db3f65cSamw	}
3db3f65cSamw
3db3f65cSamw	/* no match for the specified attribute is found */
3db3f65cSamw	if (ldap_count_entries(ah->ld, res) == 0) {
3db3f65cSamw		(void) ldap_msgfree(res);
3db3f65cSamw		return (-1);
3db3f65cSamw	}
3db3f65cSamw
3db3f65cSamw	entry = ldap_first_entry(ah->ld, res);
3db3f65cSamw	if (entry) {
3db3f65cSamw		if ((vals = ldap_get_values(ah->ld, entry,
3db3f65cSamw		    SMB_ADS_ATTR_DCLEVEL)) == NULL) {
3db3f65cSamw			/*
3db3f65cSamw			 * Observed the values aren't populated
3db3f65cSamw			 * by the Windows 2000 server.
3db3f65cSamw			 */
3db3f65cSamw			(void) ldap_msgfree(res);
3db3f65cSamw			return (SMB_ADS_DCLEVEL_W2K);
3db3f65cSamw		}
3db3f65cSamw
3db3f65cSamw		if (vals[0] != NULL)
3db3f65cSamw			rc = atoi(vals[0]);
3db3f65cSamw
3db3f65cSamw		ldap_value_free(vals);
3db3f65cSamw	}
3db3f65cSamw
3db3f65cSamw	(void) ldap_msgfree(res);
3db3f65cSamw	return (rc);
55bf511dSas200622}
55bf511dSas200622
9fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States/*
9fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States * The fully-qualified hostname returned by this function is often used for
9fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States * constructing service principal name.  Return the fully-qualified hostname
9fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States * in lower case for RFC 4120 section 6.2.1 conformance.
9fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States */
55bf511dSas200622static int
b89a8333Snatalie li - Sun Microsystems - Irvine United Statessmb_ads_getfqhostname(smb_ads_handle_t *ah, char *fqhost, int len)
b89a8333Snatalie li - Sun Microsystems - Irvine United States{
9fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States	if (smb_gethostname(fqhost, len, SMB_CASE_LOWER) != 0)
b89a8333Snatalie li - Sun Microsystems - Irvine United States		return (-1);
b89a8333Snatalie li - Sun Microsystems - Irvine United States
b89a8333Snatalie li - Sun Microsystems - Irvine United States	(void) snprintf(fqhost, len, "%s.%s", fqhost,
b89a8333Snatalie li - Sun Microsystems - Irvine United States	    ah->domain);
b89a8333Snatalie li - Sun Microsystems - Irvine United States
b89a8333Snatalie li - Sun Microsystems - Irvine United States	return (0);
b89a8333Snatalie li - Sun Microsystems - Irvine United States}
b89a8333Snatalie li - Sun Microsystems - Irvine United States
b89a8333Snatalie li - Sun Microsystems - Irvine United Statesstatic int
c8ec8eeaSjose borregosmb_ads_computer_op(smb_ads_handle_t *ah, int op, int dclevel, char *dn)
55bf511dSas200622{
3db3f65cSamw	LDAPMod *attrs[SMB_ADS_COMPUTER_NUM_ATTR];
148c5f43SAlan Wright	char *sam_val[2];
148c5f43SAlan Wright	char *ctl_val[2], *fqh_val[2];
3db3f65cSamw	char *encrypt_val[2];
6537f381Sas200622	int j = -1;
da6c28aaSamw	int ret, usrctl_flags = 0;
b89a8333Snatalie li - Sun Microsystems - Irvine United States	char sam_acct[SMB_SAMACCT_MAXLEN];
da6c28aaSamw	char fqhost[MAXHOSTNAMELEN];
da6c28aaSamw	char usrctl_buf[16];
3db3f65cSamw	char encrypt_buf[16];
55bf511dSas200622	int max;
148c5f43SAlan Wright	smb_krb5_pn_set_t spn, upn;
da6c28aaSamw
b89a8333Snatalie li - Sun Microsystems - Irvine United States	if (smb_getsamaccount(sam_acct, sizeof (sam_acct)) != 0)
da6c28aaSamw		return (-1);
da6c28aaSamw
b89a8333Snatalie li - Sun Microsystems - Irvine United States	if (smb_ads_getfqhostname(ah, fqhost, MAXHOSTNAMELEN))
b89a8333Snatalie li - Sun Microsystems - Irvine United States		return (-1);
da6c28aaSamw
148c5f43SAlan Wright	/* The SPN attribute is multi-valued and must be 1 or greater */
148c5f43SAlan Wright	if (smb_krb5_get_pn_set(&spn, SMB_PN_SPN_ATTR, ah->domain) == 0)
6537f381Sas200622		return (-1);
6537f381Sas200622
148c5f43SAlan Wright	/* The UPN attribute is single-valued and cannot be zero */
148c5f43SAlan Wright	if (smb_krb5_get_pn_set(&upn, SMB_PN_UPN_ATTR, ah->domain) != 1) {
148c5f43SAlan Wright		smb_krb5_free_pn_set(&spn);
148c5f43SAlan Wright		smb_krb5_free_pn_set(&upn);
da6c28aaSamw		return (-1);
da6c28aaSamw	}
da6c28aaSamw
3db3f65cSamw	max = (SMB_ADS_COMPUTER_NUM_ATTR - ((op != LDAP_MOD_ADD) ? 1 : 0))
b1352070SAlan Wright	    - (dclevel >= SMB_ADS_DCLEVEL_W2K8 ?  0 : 1);
6537f381Sas200622
3db3f65cSamw	if (smb_ads_alloc_attr(attrs, max) != 0) {
148c5f43SAlan Wright		smb_krb5_free_pn_set(&spn);
148c5f43SAlan Wright		smb_krb5_free_pn_set(&upn);
55bf511dSas200622		return (-1);
55bf511dSas200622	}
55bf511dSas200622
55bf511dSas200622	/* objectClass attribute is not modifiable. */
55bf511dSas200622	if (op == LDAP_MOD_ADD) {
55bf511dSas200622		attrs[++j]->mod_op = op;
55bf511dSas200622		attrs[j]->mod_type = "objectClass";
7f667e74Sjose borrego		attrs[j]->mod_values = smb_ads_computer_objcls;
55bf511dSas200622	}
da6c28aaSamw
55bf511dSas200622	attrs[++j]->mod_op = op;
3db3f65cSamw	attrs[j]->mod_type = SMB_ADS_ATTR_SAMACCT;
da6c28aaSamw	sam_val[0] = sam_acct;
da6c28aaSamw	sam_val[1] = 0;
55bf511dSas200622	attrs[j]->mod_values = sam_val;
da6c28aaSamw
55bf511dSas200622	attrs[++j]->mod_op = op;
3db3f65cSamw	attrs[j]->mod_type = SMB_ADS_ATTR_UPN;
148c5f43SAlan Wright	attrs[j]->mod_values = upn.s_pns;
da6c28aaSamw
55bf511dSas200622	attrs[++j]->mod_op = op;
3db3f65cSamw	attrs[j]->mod_type = SMB_ADS_ATTR_SPN;
148c5f43SAlan Wright	attrs[j]->mod_values =  spn.s_pns;
da6c28aaSamw
55bf511dSas200622	attrs[++j]->mod_op = op;
3db3f65cSamw	attrs[j]->mod_type = SMB_ADS_ATTR_CTL;
3db3f65cSamw	usrctl_flags |= (SMB_ADS_USER_ACCT_CTL_WKSTATION_TRUST_ACCT |
3db3f65cSamw	    SMB_ADS_USER_ACCT_CTL_PASSWD_NOTREQD |
3db3f65cSamw	    SMB_ADS_USER_ACCT_CTL_ACCOUNTDISABLE);
da6c28aaSamw	(void) snprintf(usrctl_buf, sizeof (usrctl_buf), "%d", usrctl_flags);
da6c28aaSamw	ctl_val[0] = usrctl_buf;
da6c28aaSamw	ctl_val[1] = 0;
55bf511dSas200622	attrs[j]->mod_values = ctl_val;
da6c28aaSamw
55bf511dSas200622	attrs[++j]->mod_op = op;
3db3f65cSamw	attrs[j]->mod_type = SMB_ADS_ATTR_DNSHOST;
da6c28aaSamw	fqh_val[0] = fqhost;
da6c28aaSamw	fqh_val[1] = 0;
55bf511dSas200622	attrs[j]->mod_values = fqh_val;
da6c28aaSamw
3db3f65cSamw	/* enctypes support starting in Windows Server 2008 */
3db3f65cSamw	if (dclevel > SMB_ADS_DCLEVEL_W2K3) {
3db3f65cSamw		attrs[++j]->mod_op = op;
3db3f65cSamw		attrs[j]->mod_type = SMB_ADS_ATTR_ENCTYPES;
3db3f65cSamw		(void) snprintf(encrypt_buf, sizeof (encrypt_buf), "%d",
3db3f65cSamw		    SMB_ADS_ENC_AES256 + SMB_ADS_ENC_AES128 + SMB_ADS_ENC_RC4 +
3db3f65cSamw		    SMB_ADS_ENC_DES_MD5 + SMB_ADS_ENC_DES_CRC);
3db3f65cSamw		encrypt_val[0] = encrypt_buf;
3db3f65cSamw		encrypt_val[1] = 0;
3db3f65cSamw		attrs[j]->mod_values = encrypt_val;
3db3f65cSamw	}
3db3f65cSamw
55bf511dSas200622	switch (op) {
55bf511dSas200622	case LDAP_MOD_ADD:
55bf511dSas200622		if ((ret = ldap_add_s(ah->ld, dn, attrs)) != LDAP_SUCCESS) {
fc724630SAlan Wright			syslog(LOG_NOTICE, "ldap_add: %s",
55bf511dSas200622			    ldap_err2string(ret));
da6c28aaSamw			ret = -1;
da6c28aaSamw		}
55bf511dSas200622		break;
da6c28aaSamw
55bf511dSas200622	case LDAP_MOD_REPLACE:
55bf511dSas200622		if ((ret = ldap_modify_s(ah->ld, dn, attrs)) != LDAP_SUCCESS) {
fc724630SAlan Wright			syslog(LOG_NOTICE, "ldap_modify: %s",
55bf511dSas200622			    ldap_err2string(ret));
55bf511dSas200622			ret = -1;
55bf511dSas200622		}
55bf511dSas200622		break;
55bf511dSas200622
55bf511dSas200622	default:
55bf511dSas200622		ret = -1;
55bf511dSas200622
55bf511dSas200622	}
55bf511dSas200622
3db3f65cSamw	smb_ads_free_attr(attrs);
148c5f43SAlan Wright	smb_krb5_free_pn_set(&spn);
148c5f43SAlan Wright	smb_krb5_free_pn_set(&upn);
da6c28aaSamw
da6c28aaSamw	return (ret);
da6c28aaSamw}
da6c28aaSamw
da6c28aaSamw/*
da6c28aaSamw * Delete an ADS computer account.
da6c28aaSamw */
da6c28aaSamwstatic void
c8ec8eeaSjose borregosmb_ads_del_computer(smb_ads_handle_t *ah, char *dn)
da6c28aaSamw{
da6c28aaSamw	int rc;
da6c28aaSamw
3db3f65cSamw	if ((rc = ldap_delete_s(ah->ld, dn)) != LDAP_SUCCESS)
fc724630SAlan Wright		smb_tracef("ldap_delete: %s", ldap_err2string(rc));
b89a8333Snatalie li - Sun Microsystems - Irvine United States}
b89a8333Snatalie li - Sun Microsystems - Irvine United States
b89a8333Snatalie li - Sun Microsystems - Irvine United States/*
b89a8333Snatalie li - Sun Microsystems - Irvine United States * Gets the value of the given attribute.
b89a8333Snatalie li - Sun Microsystems - Irvine United States */
b89a8333Snatalie li - Sun Microsystems - Irvine United Statesstatic smb_ads_qstat_t
b89a8333Snatalie li - Sun Microsystems - Irvine United Statessmb_ads_getattr(LDAP *ld, LDAPMessage *entry, smb_ads_avpair_t *avpair)
b89a8333Snatalie li - Sun Microsystems - Irvine United States{
b89a8333Snatalie li - Sun Microsystems - Irvine United States	char **vals;
b89a8333Snatalie li - Sun Microsystems - Irvine United States	smb_ads_qstat_t rc = SMB_ADS_STAT_FOUND;
b89a8333Snatalie li - Sun Microsystems - Irvine United States
b89a8333Snatalie li - Sun Microsystems - Irvine United States	assert(avpair);
b89a8333Snatalie li - Sun Microsystems - Irvine United States	avpair->avp_val = NULL;
b89a8333Snatalie li - Sun Microsystems - Irvine United States	vals = ldap_get_values(ld, entry, avpair->avp_attr);
b89a8333Snatalie li - Sun Microsystems - Irvine United States	if (!vals)
b89a8333Snatalie li - Sun Microsystems - Irvine United States		return (SMB_ADS_STAT_NOT_FOUND);
b89a8333Snatalie li - Sun Microsystems - Irvine United States
b89a8333Snatalie li - Sun Microsystems - Irvine United States	if (!vals[0]) {
b89a8333Snatalie li - Sun Microsystems - Irvine United States		ldap_value_free(vals);
b89a8333Snatalie li - Sun Microsystems - Irvine United States		return (SMB_ADS_STAT_NOT_FOUND);
b89a8333Snatalie li - Sun Microsystems - Irvine United States	}
b89a8333Snatalie li - Sun Microsystems - Irvine United States
b89a8333Snatalie li - Sun Microsystems - Irvine United States	avpair->avp_val = strdup(vals[0]);
b89a8333Snatalie li - Sun Microsystems - Irvine United States	if (!avpair->avp_val)
b89a8333Snatalie li - Sun Microsystems - Irvine United States		rc = SMB_ADS_STAT_ERR;
b89a8333Snatalie li - Sun Microsystems - Irvine United States
b89a8333Snatalie li - Sun Microsystems - Irvine United States	ldap_value_free(vals);
b89a8333Snatalie li - Sun Microsystems - Irvine United States	return (rc);
b89a8333Snatalie li - Sun Microsystems - Irvine United States}
b89a8333Snatalie li - Sun Microsystems - Irvine United States
b89a8333Snatalie li - Sun Microsystems - Irvine United States/*
b89a8333Snatalie li - Sun Microsystems - Irvine United States * Process query's result.
b89a8333Snatalie li - Sun Microsystems - Irvine United States */
b89a8333Snatalie li - Sun Microsystems - Irvine United Statesstatic smb_ads_qstat_t
b89a8333Snatalie li - Sun Microsystems - Irvine United Statessmb_ads_get_qstat(smb_ads_handle_t *ah, LDAPMessage *res,
b89a8333Snatalie li - Sun Microsystems - Irvine United States    smb_ads_avpair_t *avpair)
b89a8333Snatalie li - Sun Microsystems - Irvine United States{
b89a8333Snatalie li - Sun Microsystems - Irvine United States	char fqhost[MAXHOSTNAMELEN];
b89a8333Snatalie li - Sun Microsystems - Irvine United States	smb_ads_avpair_t dnshost_avp;
b89a8333Snatalie li - Sun Microsystems - Irvine United States	smb_ads_qstat_t rc = SMB_ADS_STAT_FOUND;
b89a8333Snatalie li - Sun Microsystems - Irvine United States	LDAPMessage *entry;
b89a8333Snatalie li - Sun Microsystems - Irvine United States
b89a8333Snatalie li - Sun Microsystems - Irvine United States	if (smb_ads_getfqhostname(ah, fqhost, MAXHOSTNAMELEN))
b89a8333Snatalie li - Sun Microsystems - Irvine United States		return (SMB_ADS_STAT_ERR);
b89a8333Snatalie li - Sun Microsystems - Irvine United States
b89a8333Snatalie li - Sun Microsystems - Irvine United States	if (ldap_count_entries(ah->ld, res) == 0)
b89a8333Snatalie li - Sun Microsystems - Irvine United States		return (SMB_ADS_STAT_NOT_FOUND);
b89a8333Snatalie li - Sun Microsystems - Irvine United States
b89a8333Snatalie li - Sun Microsystems - Irvine United States	if ((entry = ldap_first_entry(ah->ld, res)) == NULL)
b89a8333Snatalie li - Sun Microsystems - Irvine United States		return (SMB_ADS_STAT_ERR);
b89a8333Snatalie li - Sun Microsystems - Irvine United States
b89a8333Snatalie li - Sun Microsystems - Irvine United States	dnshost_avp.avp_attr = SMB_ADS_ATTR_DNSHOST;
b89a8333Snatalie li - Sun Microsystems - Irvine United States	rc = smb_ads_getattr(ah->ld, entry, &dnshost_avp);
b89a8333Snatalie li - Sun Microsystems - Irvine United States
b89a8333Snatalie li - Sun Microsystems - Irvine United States	switch (rc) {
b89a8333Snatalie li - Sun Microsystems - Irvine United States	case SMB_ADS_STAT_FOUND:
b89a8333Snatalie li - Sun Microsystems - Irvine United States		/*
b89a8333Snatalie li - Sun Microsystems - Irvine United States		 * Returns SMB_ADS_STAT_DUP to avoid overwriting
b89a8333Snatalie li - Sun Microsystems - Irvine United States		 * the computer account of another system whose
b89a8333Snatalie li - Sun Microsystems - Irvine United States		 * NetBIOS name collides with that of the current
b89a8333Snatalie li - Sun Microsystems - Irvine United States		 * system.
b89a8333Snatalie li - Sun Microsystems - Irvine United States		 */
b89a8333Snatalie li - Sun Microsystems - Irvine United States		if (strcasecmp(dnshost_avp.avp_val, fqhost))
b89a8333Snatalie li - Sun Microsystems - Irvine United States			rc = SMB_ADS_STAT_DUP;
b89a8333Snatalie li - Sun Microsystems - Irvine United States
b89a8333Snatalie li - Sun Microsystems - Irvine United States		free(dnshost_avp.avp_val);
b89a8333Snatalie li - Sun Microsystems - Irvine United States		break;
b89a8333Snatalie li - Sun Microsystems - Irvine United States
b89a8333Snatalie li - Sun Microsystems - Irvine United States	case SMB_ADS_STAT_NOT_FOUND:
b89a8333Snatalie li - Sun Microsystems - Irvine United States		/*
b89a8333Snatalie li - Sun Microsystems - Irvine United States		 * Pre-created computer account doesn't have
b89a8333Snatalie li - Sun Microsystems - Irvine United States		 * the dNSHostname attribute. It's been observed
b89a8333Snatalie li - Sun Microsystems - Irvine United States		 * that the dNSHostname attribute is only set after
b89a8333Snatalie li - Sun Microsystems - Irvine United States		 * a successful domain join.
b89a8333Snatalie li - Sun Microsystems - Irvine United States		 * Returns SMB_ADS_STAT_FOUND as the account is
b89a8333Snatalie li - Sun Microsystems - Irvine United States		 * pre-created for the current system.
b89a8333Snatalie li - Sun Microsystems - Irvine United States		 */
b89a8333Snatalie li - Sun Microsystems - Irvine United States		rc = SMB_ADS_STAT_FOUND;
b89a8333Snatalie li - Sun Microsystems - Irvine United States		break;
b89a8333Snatalie li - Sun Microsystems - Irvine United States
b89a8333Snatalie li - Sun Microsystems - Irvine United States	default:
b89a8333Snatalie li - Sun Microsystems - Irvine United States		break;
b89a8333Snatalie li - Sun Microsystems - Irvine United States	}
b89a8333Snatalie li - Sun Microsystems - Irvine United States
b89a8333Snatalie li - Sun Microsystems - Irvine United States	if (rc != SMB_ADS_STAT_FOUND)
b89a8333Snatalie li - Sun Microsystems - Irvine United States		return (rc);
b89a8333Snatalie li - Sun Microsystems - Irvine United States
b89a8333Snatalie li - Sun Microsystems - Irvine United States	if (avpair)
b89a8333Snatalie li - Sun Microsystems - Irvine United States		rc = smb_ads_getattr(ah->ld, entry, avpair);
b89a8333Snatalie li - Sun Microsystems - Irvine United States
b89a8333Snatalie li - Sun Microsystems - Irvine United States	return (rc);
b89a8333Snatalie li - Sun Microsystems - Irvine United States
da6c28aaSamw}
da6c28aaSamw
da6c28aaSamw/*
3db3f65cSamw * smb_ads_lookup_computer_n_attr
da6c28aaSamw *
b89a8333Snatalie li - Sun Microsystems - Irvine United States * If avpair is NULL, checks the status of the specified computer account.
b89a8333Snatalie li - Sun Microsystems - Irvine United States * Otherwise, looks up the value of the specified computer account's attribute.
b89a8333Snatalie li - Sun Microsystems - Irvine United States * If found, the value field of the avpair will be allocated and set. The
b89a8333Snatalie li - Sun Microsystems - Irvine United States * caller should free the allocated buffer.
da6c28aaSamw *
da6c28aaSamw * Return:
b89a8333Snatalie li - Sun Microsystems - Irvine United States *  SMB_ADS_STAT_FOUND  - if both the computer and the specified attribute is
b89a8333Snatalie li - Sun Microsystems - Irvine United States *                        found.
b89a8333Snatalie li - Sun Microsystems - Irvine United States *  SMB_ADS_STAT_NOT_FOUND - if either the computer or the specified attribute
b89a8333Snatalie li - Sun Microsystems - Irvine United States *                           is not found.
b89a8333Snatalie li - Sun Microsystems - Irvine United States *  SMB_ADS_STAT_DUP - if the computer account is already used by other systems
b89a8333Snatalie li - Sun Microsystems - Irvine United States *                     in the AD. This could happen if the hostname of multiple
b89a8333Snatalie li - Sun Microsystems - Irvine United States *                     systems resolved to the same NetBIOS name.
b89a8333Snatalie li - Sun Microsystems - Irvine United States *  SMB_ADS_STAT_ERR - any failure.
da6c28aaSamw */
b89a8333Snatalie li - Sun Microsystems - Irvine United Statesstatic smb_ads_qstat_t
b89a8333Snatalie li - Sun Microsystems - Irvine United Statessmb_ads_lookup_computer_n_attr(smb_ads_handle_t *ah, smb_ads_avpair_t *avpair,
c8ec8eeaSjose borrego    int scope, char *dn)
da6c28aaSamw{
b89a8333Snatalie li - Sun Microsystems - Irvine United States	char *attrs[3], filter[SMB_ADS_MAXBUFLEN];
b89a8333Snatalie li - Sun Microsystems - Irvine United States	LDAPMessage *res;
b89a8333Snatalie li - Sun Microsystems - Irvine United States	char sam_acct[SMB_SAMACCT_MAXLEN], sam_acct2[SMB_SAMACCT_MAXLEN];
b89a8333Snatalie li - Sun Microsystems - Irvine United States	smb_ads_qstat_t rc;
da6c28aaSamw
b89a8333Snatalie li - Sun Microsystems - Irvine United States	if (smb_getsamaccount(sam_acct, sizeof (sam_acct)) != 0)
b89a8333Snatalie li - Sun Microsystems - Irvine United States		return (SMB_ADS_STAT_ERR);
da6c28aaSamw
da6c28aaSamw	res = NULL;
b89a8333Snatalie li - Sun Microsystems - Irvine United States	attrs[0] = SMB_ADS_ATTR_DNSHOST;
da6c28aaSamw	attrs[1] = NULL;
b89a8333Snatalie li - Sun Microsystems - Irvine United States	attrs[2] = NULL;
da6c28aaSamw
b89a8333Snatalie li - Sun Microsystems - Irvine United States	if (avpair) {
b89a8333Snatalie li - Sun Microsystems - Irvine United States		if (!avpair->avp_attr)
b89a8333Snatalie li - Sun Microsystems - Irvine United States			return (SMB_ADS_STAT_ERR);
b89a8333Snatalie li - Sun Microsystems - Irvine United States
b89a8333Snatalie li - Sun Microsystems - Irvine United States		attrs[1] = avpair->avp_attr;
b89a8333Snatalie li - Sun Microsystems - Irvine United States	}
b89a8333Snatalie li - Sun Microsystems - Irvine United States
b89a8333Snatalie li - Sun Microsystems - Irvine United States	if (smb_ads_escape_search_filter_chars(sam_acct, sam_acct2) != 0)
b89a8333Snatalie li - Sun Microsystems - Irvine United States		return (SMB_ADS_STAT_ERR);
da6c28aaSamw
c8ec8eeaSjose borrego	(void) snprintf(filter, sizeof (filter),
b89a8333Snatalie li - Sun Microsystems - Irvine United States	    "(&(objectClass=computer)(%s=%s))", SMB_ADS_ATTR_SAMACCT,
b89a8333Snatalie li - Sun Microsystems - Irvine United States	    sam_acct2);
da6c28aaSamw
c8ec8eeaSjose borrego	if (ldap_search_s(ah->ld, dn, scope, filter, attrs, 0,
da6c28aaSamw	    &res) != LDAP_SUCCESS) {
da6c28aaSamw		(void) ldap_msgfree(res);
b89a8333Snatalie li - Sun Microsystems - Irvine United States		return (SMB_ADS_STAT_NOT_FOUND);
da6c28aaSamw	}
da6c28aaSamw
b89a8333Snatalie li - Sun Microsystems - Irvine United States	rc = smb_ads_get_qstat(ah, res, avpair);
da6c28aaSamw	/* free the search results */
da6c28aaSamw	(void) ldap_msgfree(res);
b89a8333Snatalie li - Sun Microsystems - Irvine United States	return (rc);
da6c28aaSamw}
da6c28aaSamw
da6c28aaSamw/*
3db3f65cSamw * smb_ads_find_computer
da6c28aaSamw *
c8ec8eeaSjose borrego * Starts by searching for the system's AD computer object in the default
c8ec8eeaSjose borrego * container (i.e. cn=Computers).  If not found, searches the entire directory.
b89a8333Snatalie li - Sun Microsystems - Irvine United States * If found, 'dn' will be set to the distinguished name of the system's AD
b89a8333Snatalie li - Sun Microsystems - Irvine United States * computer object.
da6c28aaSamw */
b89a8333Snatalie li - Sun Microsystems - Irvine United Statesstatic smb_ads_qstat_t
c8ec8eeaSjose borregosmb_ads_find_computer(smb_ads_handle_t *ah, char *dn)
da6c28aaSamw{
b89a8333Snatalie li - Sun Microsystems - Irvine United States	smb_ads_qstat_t stat;
b89a8333Snatalie li - Sun Microsystems - Irvine United States	smb_ads_avpair_t avpair;
c8ec8eeaSjose borrego
b89a8333Snatalie li - Sun Microsystems - Irvine United States	avpair.avp_attr = SMB_ADS_ATTR_DN;
b89a8333Snatalie li - Sun Microsystems - Irvine United States	smb_ads_get_default_comp_container_dn(ah, dn, SMB_ADS_DN_MAX);
b89a8333Snatalie li - Sun Microsystems - Irvine United States	stat = smb_ads_lookup_computer_n_attr(ah, &avpair, LDAP_SCOPE_ONELEVEL,
b89a8333Snatalie li - Sun Microsystems - Irvine United States	    dn);
c8ec8eeaSjose borrego
b89a8333Snatalie li - Sun Microsystems - Irvine United States	if (stat == SMB_ADS_STAT_NOT_FOUND) {
c8ec8eeaSjose borrego		(void) strlcpy(dn, ah->domain_dn, SMB_ADS_DN_MAX);
b89a8333Snatalie li - Sun Microsystems - Irvine United States		stat = smb_ads_lookup_computer_n_attr(ah, &avpair,
b89a8333Snatalie li - Sun Microsystems - Irvine United States		    LDAP_SCOPE_SUBTREE, dn);
c8ec8eeaSjose borrego	}
c8ec8eeaSjose borrego
b89a8333Snatalie li - Sun Microsystems - Irvine United States	if (stat == SMB_ADS_STAT_FOUND) {
b89a8333Snatalie li - Sun Microsystems - Irvine United States		(void) strlcpy(dn, avpair.avp_val, SMB_ADS_DN_MAX);
b89a8333Snatalie li - Sun Microsystems - Irvine United States		free(avpair.avp_val);
b89a8333Snatalie li - Sun Microsystems - Irvine United States	}
b89a8333Snatalie li - Sun Microsystems - Irvine United States
b89a8333Snatalie li - Sun Microsystems - Irvine United States	return (stat);
da6c28aaSamw}
da6c28aaSamw
da6c28aaSamw/*
3db3f65cSamw * smb_ads_update_computer_cntrl_attr
da6c28aaSamw *
da6c28aaSamw * Modify the user account control attribute of an existing computer
da6c28aaSamw * object on AD.
da6c28aaSamw *
7f667e74Sjose borrego * Returns LDAP error code.
da6c28aaSamw */
da6c28aaSamwstatic int
7f667e74Sjose borregosmb_ads_update_computer_cntrl_attr(smb_ads_handle_t *ah, int flags, char *dn)
da6c28aaSamw{
6537f381Sas200622	LDAPMod *attrs[2];
da6c28aaSamw	char *ctl_val[2];
7f667e74Sjose borrego	int ret = 0;
da6c28aaSamw	char usrctl_buf[16];
da6c28aaSamw
3db3f65cSamw	if (smb_ads_alloc_attr(attrs, sizeof (attrs) / sizeof (LDAPMod *)) != 0)
7f667e74Sjose borrego		return (LDAP_NO_MEMORY);
6537f381Sas200622
6537f381Sas200622	attrs[0]->mod_op = LDAP_MOD_REPLACE;
3db3f65cSamw	attrs[0]->mod_type = SMB_ADS_ATTR_CTL;
da6c28aaSamw
7f667e74Sjose borrego	(void) snprintf(usrctl_buf, sizeof (usrctl_buf), "%d", flags);
da6c28aaSamw	ctl_val[0] = usrctl_buf;
da6c28aaSamw	ctl_val[1] = 0;
6537f381Sas200622	attrs[0]->mod_values = ctl_val;
da6c28aaSamw	if ((ret = ldap_modify_s(ah->ld, dn, attrs)) != LDAP_SUCCESS) {
fc724630SAlan Wright		syslog(LOG_NOTICE, "ldap_modify: %s", ldap_err2string(ret));
da6c28aaSamw	}
da6c28aaSamw
3db3f65cSamw	smb_ads_free_attr(attrs);
da6c28aaSamw	return (ret);
da6c28aaSamw}
da6c28aaSamw
da6c28aaSamw/*
3db3f65cSamw * smb_ads_lookup_computer_attr_kvno
da6c28aaSamw *
da6c28aaSamw * Lookup the value of the Kerberos version number attribute of the computer
da6c28aaSamw * account.
da6c28aaSamw */
da6c28aaSamwstatic krb5_kvno
c8ec8eeaSjose borregosmb_ads_lookup_computer_attr_kvno(smb_ads_handle_t *ah, char *dn)
da6c28aaSamw{
b89a8333Snatalie li - Sun Microsystems - Irvine United States	smb_ads_avpair_t avpair;
da6c28aaSamw	int kvno = 1;
da6c28aaSamw
b89a8333Snatalie li - Sun Microsystems - Irvine United States	avpair.avp_attr = SMB_ADS_ATTR_KVNO;
b89a8333Snatalie li - Sun Microsystems - Irvine United States	if (smb_ads_lookup_computer_n_attr(ah, &avpair,
b89a8333Snatalie li - Sun Microsystems - Irvine United States	    LDAP_SCOPE_BASE, dn) == SMB_ADS_STAT_FOUND) {
b89a8333Snatalie li - Sun Microsystems - Irvine United States		kvno = atoi(avpair.avp_val);
b89a8333Snatalie li - Sun Microsystems - Irvine United States		free(avpair.avp_val);
da6c28aaSamw	}
da6c28aaSamw
da6c28aaSamw	return (kvno);
da6c28aaSamw}
da6c28aaSamw
da6c28aaSamw/*
3db3f65cSamw * smb_ads_join
da6c28aaSamw *
da6c28aaSamw * Besides the NT-4 style domain join (using MS-RPC), CIFS server also
da6c28aaSamw * provides the domain join using Kerberos Authentication, Keberos
55bf511dSas200622 * Change & Set password, and LDAP protocols. Basically, AD join
da6c28aaSamw * operation would require the following tickets to be acquired for the
da6c28aaSamw * the user account that is provided for the domain join.
da6c28aaSamw *
da6c28aaSamw * 1) a Keberos TGT ticket,
da6c28aaSamw * 2) a ldap service ticket, and
da6c28aaSamw * 3) kadmin/changpw service ticket
da6c28aaSamw *
da6c28aaSamw * The ADS client first sends a ldap search request to find out whether
da6c28aaSamw * or not the workstation trust account already exists in the Active Directory.
da6c28aaSamw * The existing computer object for this workstation will be removed and
da6c28aaSamw * a new one will be added. The machine account password is randomly
3db3f65cSamw * generated and set for the newly created computer object using KPASSWD
da6c28aaSamw * protocol (See RFC 3244). Once the password is set, our ADS client
da6c28aaSamw * finalizes the machine account by modifying the user acount control
da6c28aaSamw * attribute of the computer object. Kerberos keys derived from the machine
da6c28aaSamw * account password will be stored locally in /etc/krb5/krb5.keytab file.
da6c28aaSamw * That would be needed while acquiring Kerberos TGT ticket for the host
da6c28aaSamw * principal after the domain join operation.
da6c28aaSamw */
3db3f65cSamwsmb_adjoin_status_t
1ed6b69aSGordon Rosssmb_ads_join(char *domain, char *user, char *usr_passwd, char *machine_passwd)
da6c28aaSamw{
3db3f65cSamw	smb_ads_handle_t *ah = NULL;
da6c28aaSamw	krb5_context ctx = NULL;
148c5f43SAlan Wright	krb5_principal *krb5princs = NULL;
da6c28aaSamw	krb5_kvno kvno;
cbfb650aScp160787	boolean_t des_only, delete = B_TRUE;
3db3f65cSamw	smb_adjoin_status_t rc = SMB_ADJOIN_SUCCESS;
55bf511dSas200622	boolean_t new_acct;
7f667e74Sjose borrego	int dclevel, num, usrctl_flags = 0;
b89a8333Snatalie li - Sun Microsystems - Irvine United States	smb_ads_qstat_t qstat;
c8ec8eeaSjose borrego	char dn[SMB_ADS_DN_MAX];
c28afb19SYuri Pankov	char tmpfile[] = SMBNS_KRB5_KEYTAB_TMP;
148c5f43SAlan Wright	int cnt;
148c5f43SAlan Wright	smb_krb5_pn_set_t spns;
3db3f65cSamw
3db3f65cSamw	krb5_enctype *encptr;
3db3f65cSamw
3db3f65cSamw	if ((ah = smb_ads_open_main(domain, user, usr_passwd)) == NULL) {
faa1795aSjb150015		smb_ccache_remove(SMB_CCACHE_PATH);
3db3f65cSamw		return (SMB_ADJOIN_ERR_GET_HANDLE);
55bf511dSas200622	}
55bf511dSas200622
3db3f65cSamw	if ((dclevel = smb_ads_get_dc_level(ah)) == -1) {
3db3f65cSamw		smb_ads_close(ah);
3db3f65cSamw		smb_ccache_remove(SMB_CCACHE_PATH);
3db3f65cSamw		return (SMB_ADJOIN_ERR_GET_DCLEVEL);
3db3f65cSamw	}
3db3f65cSamw
b89a8333Snatalie li - Sun Microsystems - Irvine United States	qstat = smb_ads_find_computer(ah, dn);
b89a8333Snatalie li - Sun Microsystems - Irvine United States	switch (qstat) {
b89a8333Snatalie li - Sun Microsystems - Irvine United States	case SMB_ADS_STAT_FOUND:
55bf511dSas200622		new_acct = B_FALSE;
c8ec8eeaSjose borrego		if (smb_ads_modify_computer(ah, dclevel, dn) != 0) {
3db3f65cSamw			smb_ads_close(ah);
faa1795aSjb150015			smb_ccache_remove(SMB_CCACHE_PATH);
3db3f65cSamw			return (SMB_ADJOIN_ERR_MOD_TRUST_ACCT);
55bf511dSas200622		}
b89a8333Snatalie li - Sun Microsystems - Irvine United States		break;
b89a8333Snatalie li - Sun Microsystems - Irvine United States
b89a8333Snatalie li - Sun Microsystems - Irvine United States	case SMB_ADS_STAT_NOT_FOUND:
55bf511dSas200622		new_acct = B_TRUE;
b89a8333Snatalie li - Sun Microsystems - Irvine United States		smb_ads_get_default_comp_dn(ah, dn, SMB_ADS_DN_MAX);
c8ec8eeaSjose borrego		if (smb_ads_add_computer(ah, dclevel, dn) != 0) {
3db3f65cSamw			smb_ads_close(ah);
faa1795aSjb150015			smb_ccache_remove(SMB_CCACHE_PATH);
3db3f65cSamw			return (SMB_ADJOIN_ERR_ADD_TRUST_ACCT);
55bf511dSas200622		}
b89a8333Snatalie li - Sun Microsystems - Irvine United States		break;
b89a8333Snatalie li - Sun Microsystems - Irvine United States
b89a8333Snatalie li - Sun Microsystems - Irvine United States	default:
b89a8333Snatalie li - Sun Microsystems - Irvine United States		if (qstat == SMB_ADS_STAT_DUP)
b89a8333Snatalie li - Sun Microsystems - Irvine United States			rc = SMB_ADJOIN_ERR_DUP_TRUST_ACCT;
b89a8333Snatalie li - Sun Microsystems - Irvine United States		else
b89a8333Snatalie li - Sun Microsystems - Irvine United States			rc = SMB_ADJOIN_ERR_TRUST_ACCT;
b89a8333Snatalie li - Sun Microsystems - Irvine United States		smb_ads_close(ah);
b89a8333Snatalie li - Sun Microsystems - Irvine United States		smb_ccache_remove(SMB_CCACHE_PATH);
b89a8333Snatalie li - Sun Microsystems - Irvine United States		return (rc);
55bf511dSas200622	}
55bf511dSas200622
55bf511dSas200622	des_only = B_FALSE;
da6c28aaSamw
da6c28aaSamw	if (smb_krb5_ctx_init(&ctx) != 0) {
3db3f65cSamw		rc = SMB_ADJOIN_ERR_INIT_KRB_CTX;
da6c28aaSamw		goto adjoin_cleanup;
da6c28aaSamw	}
da6c28aaSamw
148c5f43SAlan Wright	if (smb_krb5_get_pn_set(&spns, SMB_PN_KEYTAB_ENTRY, ah->domain) == 0) {
3db3f65cSamw		rc = SMB_ADJOIN_ERR_GET_SPNS;
da6c28aaSamw		goto adjoin_cleanup;
da6c28aaSamw	}
da6c28aaSamw
148c5f43SAlan Wright	if (smb_krb5_get_kprincs(ctx, spns.s_pns, spns.s_cnt, &krb5princs)
148c5f43SAlan Wright	    != 0) {
148c5f43SAlan Wright		smb_krb5_free_pn_set(&spns);
148c5f43SAlan Wright		rc = SMB_ADJOIN_ERR_GET_SPNS;
148c5f43SAlan Wright		goto adjoin_cleanup;
148c5f43SAlan Wright	}
148c5f43SAlan Wright
148c5f43SAlan Wright	cnt = spns.s_cnt;
148c5f43SAlan Wright	smb_krb5_free_pn_set(&spns);
148c5f43SAlan Wright
1ed6b69aSGordon Ross	/* New machine_passwd was filled in by our caller. */
148c5f43SAlan Wright	if (smb_krb5_setpwd(ctx, ah->domain, machine_passwd) != 0) {
3db3f65cSamw		rc = SMB_ADJOIN_ERR_KSETPWD;
da6c28aaSamw		goto adjoin_cleanup;
da6c28aaSamw	}
da6c28aaSamw
c8ec8eeaSjose borrego	kvno = smb_ads_lookup_computer_attr_kvno(ah, dn);
55bf511dSas200622
7f667e74Sjose borrego	/*
7f667e74Sjose borrego	 * Only members of Domain Admins and Enterprise Admins can set
7f667e74Sjose borrego	 * the TRUSTED_FOR_DELEGATION userAccountControl flag.
7f667e74Sjose borrego	 */
7f667e74Sjose borrego	if (smb_ads_update_computer_cntrl_attr(ah,
037cac00Sjoyce mcintosh	    SMB_ADS_USER_ACCT_CTL_WKSTATION_TRUST_ACCT |
7f667e74Sjose borrego	    SMB_ADS_USER_ACCT_CTL_TRUSTED_FOR_DELEGATION, dn)
7f667e74Sjose borrego	    == LDAP_INSUFFICIENT_ACCESS) {
7f667e74Sjose borrego		usrctl_flags |= (SMB_ADS_USER_ACCT_CTL_WKSTATION_TRUST_ACCT |
7f667e74Sjose borrego		    SMB_ADS_USER_ACCT_CTL_DONT_EXPIRE_PASSWD);
7f667e74Sjose borrego
fc724630SAlan Wright		syslog(LOG_NOTICE, "Unable to set the "
7f667e74Sjose borrego		    "TRUSTED_FOR_DELEGATION userAccountControl flag on "
7f667e74Sjose borrego		    "the machine account in Active Directory.  Please refer "
7f667e74Sjose borrego		    "to the Troubleshooting guide for more information.");
7f667e74Sjose borrego
7f667e74Sjose borrego	} else {
7f667e74Sjose borrego		usrctl_flags |= (SMB_ADS_USER_ACCT_CTL_WKSTATION_TRUST_ACCT |
7f667e74Sjose borrego		    SMB_ADS_USER_ACCT_CTL_TRUSTED_FOR_DELEGATION |
7f667e74Sjose borrego		    SMB_ADS_USER_ACCT_CTL_DONT_EXPIRE_PASSWD);
7f667e74Sjose borrego	}
7f667e74Sjose borrego
7f667e74Sjose borrego	if (des_only)
7f667e74Sjose borrego		usrctl_flags |= SMB_ADS_USER_ACCT_CTL_USE_DES_KEY_ONLY;
7f667e74Sjose borrego
7f667e74Sjose borrego	if (smb_ads_update_computer_cntrl_attr(ah, usrctl_flags, dn)
c8ec8eeaSjose borrego	    != 0) {
3db3f65cSamw		rc = SMB_ADJOIN_ERR_UPDATE_CNTRL_ATTR;
da6c28aaSamw		goto adjoin_cleanup;
da6c28aaSamw	}
55bf511dSas200622
c28afb19SYuri Pankov	if (mktemp(tmpfile) == NULL) {
c28afb19SYuri Pankov		rc = SMB_ADJOIN_ERR_WRITE_KEYTAB;
c28afb19SYuri Pankov		goto adjoin_cleanup;
c28afb19SYuri Pankov	}
8d7e4166Sjose borrego
148c5f43SAlan Wright	encptr = smb_ads_get_enctypes(dclevel, &num);
148c5f43SAlan Wright	if (smb_krb5_kt_populate(ctx, ah->domain, krb5princs, cnt,
148c5f43SAlan Wright	    tmpfile, kvno, machine_passwd, encptr, num) != 0) {
3db3f65cSamw		rc = SMB_ADJOIN_ERR_WRITE_KEYTAB;
da6c28aaSamw		goto adjoin_cleanup;
da6c28aaSamw	}
da6c28aaSamw
55bf511dSas200622	delete = B_FALSE;
da6c28aaSamwadjoin_cleanup:
55bf511dSas200622	if (new_acct && delete)
c8ec8eeaSjose borrego		smb_ads_del_computer(ah, dn);
da6c28aaSamw
3db3f65cSamw	if (rc != SMB_ADJOIN_ERR_INIT_KRB_CTX) {
3db3f65cSamw		if (rc != SMB_ADJOIN_ERR_GET_SPNS)
148c5f43SAlan Wright			smb_krb5_free_kprincs(ctx, krb5princs, cnt);
da6c28aaSamw		smb_krb5_ctx_fini(ctx);
cbfb650aScp160787	}
da6c28aaSamw
8d7e4166Sjose borrego	/* commit keytab file */
8d7e4166Sjose borrego	if (rc == SMB_ADJOIN_SUCCESS) {
8d7e4166Sjose borrego		if (rename(tmpfile, SMBNS_KRB5_KEYTAB) != 0) {
8d7e4166Sjose borrego			(void) unlink(tmpfile);
8d7e4166Sjose borrego			rc = SMB_ADJOIN_ERR_COMMIT_KEYTAB;
8d7e4166Sjose borrego		}
8d7e4166Sjose borrego	} else {
8d7e4166Sjose borrego		(void) unlink(tmpfile);
8d7e4166Sjose borrego	}
8d7e4166Sjose borrego
3db3f65cSamw	smb_ads_close(ah);
faa1795aSjb150015	smb_ccache_remove(SMB_CCACHE_PATH);
da6c28aaSamw	return (rc);
da6c28aaSamw}
da6c28aaSamw
da6c28aaSamw/*
fc724630SAlan Wright * smb_ads_join_errmsg
da6c28aaSamw *
da6c28aaSamw * Display error message for the specific adjoin error code.
da6c28aaSamw */
fc724630SAlan Wrightvoid
fc724630SAlan Wrightsmb_ads_join_errmsg(smb_adjoin_status_t status)
da6c28aaSamw{
fc724630SAlan Wright	int i;
fc724630SAlan Wright	struct xlate_table {
fc724630SAlan Wright		smb_adjoin_status_t status;
fc724630SAlan Wright		char *msg;
fc724630SAlan Wright	} adjoin_table[] = {
fc724630SAlan Wright		{ SMB_ADJOIN_ERR_GET_HANDLE, "Failed to connect to an "
fc724630SAlan Wright		    "Active Directory server." },
77191e87SShawn Emery		{ SMB_ADJOIN_ERR_GEN_PWD, "Failed to generate machine "
77191e87SShawn Emery		    "password." },
fc724630SAlan Wright		{ SMB_ADJOIN_ERR_GET_DCLEVEL, "Unknown functional level of "
fc724630SAlan Wright		    "the domain controller. The rootDSE attribute named "
fc724630SAlan Wright		    "\"domainControllerFunctionality\" is missing from the "
fc724630SAlan Wright		    "Active Directory." },
fc724630SAlan Wright		{ SMB_ADJOIN_ERR_ADD_TRUST_ACCT, "Failed to create the "
fc724630SAlan Wright		    "workstation trust account." },
fc724630SAlan Wright		{ SMB_ADJOIN_ERR_MOD_TRUST_ACCT, "Failed to modify the "
fc724630SAlan Wright		    "workstation trust account." },
fc724630SAlan Wright		{ SMB_ADJOIN_ERR_DUP_TRUST_ACCT, "Failed to create the "
fc724630SAlan Wright		    "workstation trust account because its name is already "
fc724630SAlan Wright		    "in use." },
fc724630SAlan Wright		{ SMB_ADJOIN_ERR_TRUST_ACCT, "Error in querying the "
fc724630SAlan Wright		    "workstation trust account" },
fc724630SAlan Wright		{ SMB_ADJOIN_ERR_INIT_KRB_CTX, "Failed to initialize Kerberos "
fc724630SAlan Wright		    "context." },
fc724630SAlan Wright		{ SMB_ADJOIN_ERR_GET_SPNS, "Failed to get Kerberos "
fc724630SAlan Wright		    "principals." },
fc724630SAlan Wright		{ SMB_ADJOIN_ERR_KSETPWD, "Failed to set machine password." },
fc724630SAlan Wright		{ SMB_ADJOIN_ERR_UPDATE_CNTRL_ATTR,  "Failed to modify "
fc724630SAlan Wright		    "userAccountControl attribute of the workstation trust "
fc724630SAlan Wright		    "account." },
fc724630SAlan Wright		{ SMB_ADJOIN_ERR_WRITE_KEYTAB, "Error in writing to local "
fc724630SAlan Wright		    "keytab file (i.e /etc/krb5/krb5.keytab)." },
fc724630SAlan Wright		{ SMB_ADJOIN_ERR_IDMAP_SET_DOMAIN, "Failed to update idmap "
fc724630SAlan Wright		    "configuration." },
fc724630SAlan Wright		{ SMB_ADJOIN_ERR_IDMAP_REFRESH, "Failed to refresh idmap "
fc724630SAlan Wright		    "service." },
fc724630SAlan Wright		{ SMB_ADJOIN_ERR_COMMIT_KEYTAB, "Failed to commit changes to "
fc724630SAlan Wright		    "local keytab file (i.e. /etc/krb5/krb5.keytab)." }
fc724630SAlan Wright	};
da6c28aaSamw
fc724630SAlan Wright	for (i = 0; i < sizeof (adjoin_table) / sizeof (adjoin_table[0]); i++) {
fc724630SAlan Wright		if (adjoin_table[i].status == status)
fc724630SAlan Wright			syslog(LOG_NOTICE, "%s", adjoin_table[i].msg);
fc724630SAlan Wright	}
da6c28aaSamw}
c8ec8eeaSjose borrego
c8ec8eeaSjose borrego/*
29bd2886SAlan Wright * smb_ads_match_pdc
b89a8333Snatalie li - Sun Microsystems - Irvine United States *
29bd2886SAlan Wright * Returns B_TRUE if the given host's IP address matches the preferred DC's
29bd2886SAlan Wright * IP address. Otherwise, returns B_FALSE.
b89a8333Snatalie li - Sun Microsystems - Irvine United States */
29bd2886SAlan Wrightstatic boolean_t
29bd2886SAlan Wrightsmb_ads_match_pdc(smb_ads_host_info_t *host)
b89a8333Snatalie li - Sun Microsystems - Irvine United States{
29bd2886SAlan Wright	boolean_t match = B_FALSE;
b89a8333Snatalie li - Sun Microsystems - Irvine United States
29bd2886SAlan Wright	if (!host)
29bd2886SAlan Wright		return (match);
b89a8333Snatalie li - Sun Microsystems - Irvine United States
29bd2886SAlan Wright	(void) mutex_lock(&smb_ads_cfg.c_mtx);
29bd2886SAlan Wright	if (smb_inet_equal(&host->ipaddr, &smb_ads_cfg.c_pdc))
29bd2886SAlan Wright		match = B_TRUE;
29bd2886SAlan Wright	(void) mutex_unlock(&smb_ads_cfg.c_mtx);
b89a8333Snatalie li - Sun Microsystems - Irvine United States
29bd2886SAlan Wright	return (match);
b89a8333Snatalie li - Sun Microsystems - Irvine United States}
b89a8333Snatalie li - Sun Microsystems - Irvine United States
b89a8333Snatalie li - Sun Microsystems - Irvine United States/*
b89a8333Snatalie li - Sun Microsystems - Irvine United States * smb_ads_select_dcfromsubnet
b89a8333Snatalie li - Sun Microsystems - Irvine United States *
b89a8333Snatalie li - Sun Microsystems - Irvine United States * This method walks the list of DCs and returns the first DC record that
b89a8333Snatalie li - Sun Microsystems - Irvine United States * responds to ldap ping and is in the same subnet as the host.
b89a8333Snatalie li - Sun Microsystems - Irvine United States *
b89a8333Snatalie li - Sun Microsystems - Irvine United States * Returns a pointer to the found DC record.
b89a8333Snatalie li - Sun Microsystems - Irvine United States * Returns NULL, on error or if no DC record is found.
b89a8333Snatalie li - Sun Microsystems - Irvine United States */
b89a8333Snatalie li - Sun Microsystems - Irvine United Statesstatic smb_ads_host_info_t *
b89a8333Snatalie li - Sun Microsystems - Irvine United Statessmb_ads_select_dcfromsubnet(smb_ads_host_list_t *hlist)
b89a8333Snatalie li - Sun Microsystems - Irvine United States{
b89a8333Snatalie li - Sun Microsystems - Irvine United States	smb_ads_host_info_t *hentry;
b89a8333Snatalie li - Sun Microsystems - Irvine United States	smb_nic_t *lnic;
b89a8333Snatalie li - Sun Microsystems - Irvine United States	smb_niciter_t ni;
b89a8333Snatalie li - Sun Microsystems - Irvine United States	size_t cnt;
b89a8333Snatalie li - Sun Microsystems - Irvine United States	int i;
b89a8333Snatalie li - Sun Microsystems - Irvine United States
9fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States	if (smb_nic_getfirst(&ni) != SMB_NIC_SUCCESS)
b89a8333Snatalie li - Sun Microsystems - Irvine United States		return (NULL);
b89a8333Snatalie li - Sun Microsystems - Irvine United States	do {
b89a8333Snatalie li - Sun Microsystems - Irvine United States		lnic = &ni.ni_nic;
b89a8333Snatalie li - Sun Microsystems - Irvine United States		cnt = hlist->ah_cnt;
b89a8333Snatalie li - Sun Microsystems - Irvine United States
b89a8333Snatalie li - Sun Microsystems - Irvine United States		for (i = 0; i < cnt; i++) {
b89a8333Snatalie li - Sun Microsystems - Irvine United States			hentry = &hlist->ah_list[i];
7f667e74Sjose borrego			if ((hentry->ipaddr.a_family == AF_INET) &&
7f667e74Sjose borrego			    (lnic->nic_ip.a_family == AF_INET)) {
7f667e74Sjose borrego				if ((hentry->ipaddr.a_ipv4 &
7f667e74Sjose borrego				    lnic->nic_mask) ==
7f667e74Sjose borrego				    (lnic->nic_ip.a_ipv4 &
7f667e74Sjose borrego				    lnic->nic_mask))
b89a8333Snatalie li - Sun Microsystems - Irvine United States					if (smb_ads_ldap_ping(hentry) == 0)
b89a8333Snatalie li - Sun Microsystems - Irvine United States						return (hentry);
b89a8333Snatalie li - Sun Microsystems - Irvine United States			}
7f667e74Sjose borrego		}
9fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States	} while (smb_nic_getnext(&ni) == SMB_NIC_SUCCESS);
b89a8333Snatalie li - Sun Microsystems - Irvine United States
b89a8333Snatalie li - Sun Microsystems - Irvine United States	return (NULL);
b89a8333Snatalie li - Sun Microsystems - Irvine United States}
b89a8333Snatalie li - Sun Microsystems - Irvine United States
b89a8333Snatalie li - Sun Microsystems - Irvine United States/*
b89a8333Snatalie li - Sun Microsystems - Irvine United States * smb_ads_select_dcfromlist
b89a8333Snatalie li - Sun Microsystems - Irvine United States *
b89a8333Snatalie li - Sun Microsystems - Irvine United States * This method walks the list of DCs and returns the first DC that
b89a8333Snatalie li - Sun Microsystems - Irvine United States * responds to ldap ping.
b89a8333Snatalie li - Sun Microsystems - Irvine United States *
b89a8333Snatalie li - Sun Microsystems - Irvine United States * Returns a pointer to the found DC record.
b89a8333Snatalie li - Sun Microsystems - Irvine United States * Returns NULL if no DC record is found.
b89a8333Snatalie li - Sun Microsystems - Irvine United States */
b89a8333Snatalie li - Sun Microsystems - Irvine United Statesstatic smb_ads_host_info_t *
b89a8333Snatalie li - Sun Microsystems - Irvine United Statessmb_ads_select_dcfromlist(smb_ads_host_list_t *hlist)
b89a8333Snatalie li - Sun Microsystems - Irvine United States{
b89a8333Snatalie li - Sun Microsystems - Irvine United States	smb_ads_host_info_t *hentry;
b89a8333Snatalie li - Sun Microsystems - Irvine United States	size_t cnt;
b89a8333Snatalie li - Sun Microsystems - Irvine United States	int i;
b89a8333Snatalie li - Sun Microsystems - Irvine United States
b89a8333Snatalie li - Sun Microsystems - Irvine United States	cnt = hlist->ah_cnt;
b89a8333Snatalie li - Sun Microsystems - Irvine United States	for (i = 0; i < cnt; i++) {
b89a8333Snatalie li - Sun Microsystems - Irvine United States		hentry = &hlist->ah_list[i];
b89a8333Snatalie li - Sun Microsystems - Irvine United States		if (smb_ads_ldap_ping(hentry) == 0)
b89a8333Snatalie li - Sun Microsystems - Irvine United States			return (hentry);
b89a8333Snatalie li - Sun Microsystems - Irvine United States	}
b89a8333Snatalie li - Sun Microsystems - Irvine United States
b89a8333Snatalie li - Sun Microsystems - Irvine United States	return (NULL);
b89a8333Snatalie li - Sun Microsystems - Irvine United States}
b89a8333Snatalie li - Sun Microsystems - Irvine United States
b89a8333Snatalie li - Sun Microsystems - Irvine United States/*
c8ec8eeaSjose borrego * smb_ads_dc_compare
c8ec8eeaSjose borrego *
c8ec8eeaSjose borrego * Comparision function for sorting host entries (SRV records of DC) via qsort.
b89a8333Snatalie li - Sun Microsystems - Irvine United States * RFC 2052/2782 are taken as reference, while implementing this algorithm.
b89a8333Snatalie li - Sun Microsystems - Irvine United States *
b89a8333Snatalie li - Sun Microsystems - Irvine United States * Domain Controllers(DCs) with lowest priority in their SRV DNS records
b89a8333Snatalie li - Sun Microsystems - Irvine United States * are selected first. If they have equal priorities, then DC with highest
b89a8333Snatalie li - Sun Microsystems - Irvine United States * weight in its SRV DNS record is selected. If the priority and weight are
b89a8333Snatalie li - Sun Microsystems - Irvine United States * both equal, then the DC at the top of the list is selected.
c8ec8eeaSjose borrego */
c8ec8eeaSjose borregostatic int
c8ec8eeaSjose borregosmb_ads_dc_compare(const void *p, const void *q)
c8ec8eeaSjose borrego{
c8ec8eeaSjose borrego	smb_ads_host_info_t *h1 = (smb_ads_host_info_t *)p;
c8ec8eeaSjose borrego	smb_ads_host_info_t *h2 = (smb_ads_host_info_t *)q;
c8ec8eeaSjose borrego
c8ec8eeaSjose borrego	if (h1->priority < h2->priority)
c8ec8eeaSjose borrego		return (-1);
c8ec8eeaSjose borrego	if (h1->priority > h2->priority)
c8ec8eeaSjose borrego		return (1);
c8ec8eeaSjose borrego
c8ec8eeaSjose borrego	/* Priorities are equal */
c8ec8eeaSjose borrego	if (h1->weight < h2->weight)
c8ec8eeaSjose borrego		return (1);
c8ec8eeaSjose borrego	if (h1->weight > h2->weight)
c8ec8eeaSjose borrego		return (-1);
c8ec8eeaSjose borrego
c8ec8eeaSjose borrego	return (0);
c8ec8eeaSjose borrego}
c8ec8eeaSjose borrego
c8ec8eeaSjose borrego/*
c8ec8eeaSjose borrego * smb_ads_select_dc
c8ec8eeaSjose borrego *
b89a8333Snatalie li - Sun Microsystems - Irvine United States * The list of ADS hosts returned by ADS lookup, is sorted by lowest priority
b89a8333Snatalie li - Sun Microsystems - Irvine United States * and highest weight. On this sorted list, following additional rules are
b89a8333Snatalie li - Sun Microsystems - Irvine United States * applied, to select a DC.
c8ec8eeaSjose borrego *
b89a8333Snatalie li - Sun Microsystems - Irvine United States *  - If there is a DC in the same subnet, then return the DC,
b89a8333Snatalie li - Sun Microsystems - Irvine United States *    if it responds to ldap ping.
b89a8333Snatalie li - Sun Microsystems - Irvine United States *  - Else, return first DC that responds to ldap ping.
b89a8333Snatalie li - Sun Microsystems - Irvine United States *
b89a8333Snatalie li - Sun Microsystems - Irvine United States * A reference to the host entry from input host list is returned.
c8ec8eeaSjose borrego *
c8ec8eeaSjose borrego * Returns NULL on error.
c8ec8eeaSjose borrego */
c8ec8eeaSjose borregostatic smb_ads_host_info_t *
c8ec8eeaSjose borregosmb_ads_select_dc(smb_ads_host_list_t *hlist)
c8ec8eeaSjose borrego{
b89a8333Snatalie li - Sun Microsystems - Irvine United States	smb_ads_host_info_t *hentry = NULL;
c8ec8eeaSjose borrego
b89a8333Snatalie li - Sun Microsystems - Irvine United States	if (hlist->ah_cnt == 0)
c8ec8eeaSjose borrego		return (NULL);
c8ec8eeaSjose borrego
b89a8333Snatalie li - Sun Microsystems - Irvine United States	if (hlist->ah_cnt == 1) {
b89a8333Snatalie li - Sun Microsystems - Irvine United States		hentry = hlist->ah_list;
b89a8333Snatalie li - Sun Microsystems - Irvine United States		if (smb_ads_ldap_ping(hentry) == 0)
b89a8333Snatalie li - Sun Microsystems - Irvine United States			return (hentry);
c8ec8eeaSjose borrego	}
c8ec8eeaSjose borrego
b89a8333Snatalie li - Sun Microsystems - Irvine United States	/* Sort the list by priority and weight */
b89a8333Snatalie li - Sun Microsystems - Irvine United States	qsort(hlist->ah_list, hlist->ah_cnt,
b89a8333Snatalie li - Sun Microsystems - Irvine United States	    sizeof (smb_ads_host_info_t), smb_ads_dc_compare);
c8ec8eeaSjose borrego
b89a8333Snatalie li - Sun Microsystems - Irvine United States	if ((hentry = smb_ads_select_dcfromsubnet(hlist)) != NULL)
b89a8333Snatalie li - Sun Microsystems - Irvine United States		return (hentry);
b89a8333Snatalie li - Sun Microsystems - Irvine United States
b89a8333Snatalie li - Sun Microsystems - Irvine United States	if ((hentry = smb_ads_select_dcfromlist(hlist)) != NULL)
b89a8333Snatalie li - Sun Microsystems - Irvine United States		return (hentry);
b89a8333Snatalie li - Sun Microsystems - Irvine United States
c8ec8eeaSjose borrego	return (NULL);
c8ec8eeaSjose borrego}
8d7e4166Sjose borrego
8d7e4166Sjose borrego/*
8d7e4166Sjose borrego * smb_ads_lookup_msdcs
8d7e4166Sjose borrego *
8d7e4166Sjose borrego * If server argument is set, try to locate the specified DC.
8d7e4166Sjose borrego * If it is set to empty string, locate any DCs in the specified domain.
8d7e4166Sjose borrego * Returns the discovered DC via buf.
8d7e4166Sjose borrego *
8d7e4166Sjose borrego * fqdn	  - fully-qualified domain name
8d7e4166Sjose borrego * server - fully-qualifed hostname of a DC
8d7e4166Sjose borrego * buf    - the hostname of the discovered DC
8d7e4166Sjose borrego */
8d7e4166Sjose borregoboolean_t
8d7e4166Sjose borregosmb_ads_lookup_msdcs(char *fqdn, char *server, char *buf, uint32_t buflen)
8d7e4166Sjose borrego{
8d7e4166Sjose borrego	smb_ads_host_info_t *hinfo = NULL;
8d7e4166Sjose borrego	char *p;
8d7e4166Sjose borrego	char *sought_host;
7f667e74Sjose borrego	char ipstr[INET6_ADDRSTRLEN];
8d7e4166Sjose borrego
8d7e4166Sjose borrego	if (!fqdn || !buf)
8d7e4166Sjose borrego		return (B_FALSE);
8d7e4166Sjose borrego
32b8d01aSChristopher Parker	ipstr[0] = '\0';
8d7e4166Sjose borrego	*buf = '\0';
8d7e4166Sjose borrego	sought_host = (*server == 0 ? NULL : server);
8d7e4166Sjose borrego	if ((hinfo = smb_ads_find_host(fqdn, sought_host)) == NULL)
8d7e4166Sjose borrego		return (B_FALSE);
8d7e4166Sjose borrego
32b8d01aSChristopher Parker	(void) smb_inet_ntop(&hinfo->ipaddr, ipstr,
32b8d01aSChristopher Parker	    SMB_IPSTRLEN(hinfo->ipaddr.a_family));
32b8d01aSChristopher Parker	smb_tracef("msdcsLookupADS: %s [%s]", hinfo->name, ipstr);
8d7e4166Sjose borrego
8d7e4166Sjose borrego	(void) strlcpy(buf, hinfo->name, buflen);
8d7e4166Sjose borrego	/*
8d7e4166Sjose borrego	 * Remove the domain extension
8d7e4166Sjose borrego	 */
8d7e4166Sjose borrego	if ((p = strchr(buf, '.')) != 0)
8d7e4166Sjose borrego		*p = '\0';
8d7e4166Sjose borrego
29bd2886SAlan Wright	free(hinfo);
8d7e4166Sjose borrego	return (B_TRUE);
8d7e4166Sjose borrego}
148c5f43SAlan Wright
148c5f43SAlan Wrightstatic krb5_enctype *
148c5f43SAlan Wrightsmb_ads_get_enctypes(int dclevel, int *num)
148c5f43SAlan Wright{
148c5f43SAlan Wright	krb5_enctype *encptr;
148c5f43SAlan Wright
148c5f43SAlan Wright	if (dclevel >= SMB_ADS_DCLEVEL_W2K8) {
148c5f43SAlan Wright		*num = sizeof (w2k8enctypes) / sizeof (krb5_enctype);
148c5f43SAlan Wright		encptr = w2k8enctypes;
148c5f43SAlan Wright	} else {
148c5f43SAlan Wright		*num = sizeof (pre_w2k8enctypes) / sizeof (krb5_enctype);
148c5f43SAlan Wright		encptr = pre_w2k8enctypes;
148c5f43SAlan Wright	}
148c5f43SAlan Wright
148c5f43SAlan Wright	return (encptr);
148c5f43SAlan Wright}