xref: /titanic_50/usr/src/lib/smbsrv/libsmbns/common/smbns_ads.c (revision 310da939904e5e37a19c8a427209c0d4d9683ec8)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved.
23  */
24 
25 #include <sys/param.h>
26 #include <ldap.h>
27 #include <stdlib.h>
28 #include <sys/types.h>
29 #include <sys/socket.h>
30 #include <netinet/in.h>
31 #include <arpa/inet.h>
32 #include <sys/time.h>
33 #include <netdb.h>
34 #include <pthread.h>
35 #include <unistd.h>
36 #include <arpa/nameser.h>
37 #include <resolv.h>
38 #include <sys/synch.h>
39 #include <string.h>
40 #include <strings.h>
41 #include <fcntl.h>
42 #include <sys/types.h>
43 #include <sys/stat.h>
44 #include <assert.h>
45 #include <sasl/sasl.h>
46 #include <note.h>
47 #include <errno.h>
48 #include <cryptoutil.h>
49 
50 #include <smbsrv/libsmbns.h>
51 #include <smbns_dyndns.h>
52 #include <smbns_krb.h>
53 
54 #define	SMB_ADS_AF_UNKNOWN(x)	(((x)->ipaddr.a_family != AF_INET) && \
55 	((x)->ipaddr.a_family != AF_INET6))
56 
57 #define	SMB_ADS_MAXBUFLEN 100
58 #define	SMB_ADS_DN_MAX	300
59 #define	SMB_ADS_MAXMSGLEN 512
60 #define	SMB_ADS_COMPUTERS_CN "Computers"
61 #define	SMB_ADS_COMPUTER_NUM_ATTR 8
62 #define	SMB_ADS_SHARE_NUM_ATTR 3
63 #define	SMB_ADS_SITE_MAX MAXHOSTNAMELEN
64 
65 /*
66  * [MS-DISO] A machine password is an ASCII string of randomly chosen
67  * characters. Each character's ASCII code is between 32 and 122 inclusive.
68  */
69 #define	SMB_ADS_PWD_CHAR_NUM	91
70 #define	SMB_ADS_PWD_CHAR_START	32
71 
72 #define	SMB_ADS_MSDCS_SRV_DC_RR		"_ldap._tcp.dc._msdcs"
73 #define	SMB_ADS_MSDCS_SRV_SITE_RR	"_ldap._tcp.%s._sites.dc._msdcs"
74 
75 /*
76  * domainControllerFunctionality
77  *
78  * This rootDSE attribute indicates the functional level of the DC.
79  */
80 #define	SMB_ADS_ATTR_DCLEVEL	"domainControllerFunctionality"
81 #define	SMB_ADS_DCLEVEL_W2K	0
82 #define	SMB_ADS_DCLEVEL_W2K3	2
83 #define	SMB_ADS_DCLEVEL_W2K8	3
84 #define	SMB_ADS_DCLEVEL_W2K8_R2 4
85 
86 /*
87  * msDs-supportedEncryptionTypes (Windows Server 2008 only)
88  *
89  * This attribute defines the encryption types supported by the system.
90  * Encryption Types:
91  *  - DES cbc mode with CRC-32
92  *  - DES cbc mode with RSA-MD5
93  *  - ArcFour with HMAC/md5
94  *  - AES-128
95  *  - AES-256
96  */
97 #define	SMB_ADS_ATTR_ENCTYPES	"msDs-supportedEncryptionTypes"
98 #define	SMB_ADS_ENC_DES_CRC	1
99 #define	SMB_ADS_ENC_DES_MD5	2
100 #define	SMB_ADS_ENC_RC4		4
101 #define	SMB_ADS_ENC_AES128	8
102 #define	SMB_ADS_ENC_AES256	16
103 
104 #define	SMB_ADS_ATTR_SAMACCT	"sAMAccountName"
105 #define	SMB_ADS_ATTR_UPN	"userPrincipalName"
106 #define	SMB_ADS_ATTR_SPN	"servicePrincipalName"
107 #define	SMB_ADS_ATTR_CTL	"userAccountControl"
108 #define	SMB_ADS_ATTR_DNSHOST	"dNSHostName"
109 #define	SMB_ADS_ATTR_KVNO	"msDS-KeyVersionNumber"
110 #define	SMB_ADS_ATTR_DN		"distinguishedName"
111 
112 /*
113  * UserAccountControl flags: manipulate user account properties.
114  *
115  * The hexadecimal value of the following property flags are based on MSDN
116  * article # 305144.
117  */
118 #define	SMB_ADS_USER_ACCT_CTL_SCRIPT				0x00000001
119 #define	SMB_ADS_USER_ACCT_CTL_ACCOUNTDISABLE			0x00000002
120 #define	SMB_ADS_USER_ACCT_CTL_HOMEDIR_REQUIRED			0x00000008
121 #define	SMB_ADS_USER_ACCT_CTL_LOCKOUT				0x00000010
122 #define	SMB_ADS_USER_ACCT_CTL_PASSWD_NOTREQD			0x00000020
123 #define	SMB_ADS_USER_ACCT_CTL_PASSWD_CANT_CHANGE		0x00000040
124 #define	SMB_ADS_USER_ACCT_CTL_ENCRYPTED_TEXT_PWD_ALLOWED	0x00000080
125 #define	SMB_ADS_USER_ACCT_CTL_TMP_DUP_ACCT			0x00000100
126 #define	SMB_ADS_USER_ACCT_CTL_NORMAL_ACCT			0x00000200
127 #define	SMB_ADS_USER_ACCT_CTL_INTERDOMAIN_TRUST_ACCT		0x00000800
128 #define	SMB_ADS_USER_ACCT_CTL_WKSTATION_TRUST_ACCT		0x00001000
129 #define	SMB_ADS_USER_ACCT_CTL_SRV_TRUST_ACCT			0x00002000
130 #define	SMB_ADS_USER_ACCT_CTL_DONT_EXPIRE_PASSWD		0x00010000
131 #define	SMB_ADS_USER_ACCT_CTL_MNS_LOGON_ACCT			0x00020000
132 #define	SMB_ADS_USER_ACCT_CTL_SMARTCARD_REQUIRED		0x00040000
133 #define	SMB_ADS_USER_ACCT_CTL_TRUSTED_FOR_DELEGATION		0x00080000
134 #define	SMB_ADS_USER_ACCT_CTL_NOT_DELEGATED			0x00100000
135 #define	SMB_ADS_USER_ACCT_CTL_USE_DES_KEY_ONLY			0x00200000
136 #define	SMB_ADS_USER_ACCT_CTL_DONT_REQ_PREAUTH			0x00400000
137 #define	SMB_ADS_USER_ACCT_CTL_PASSWD_EXPIRED			0x00800000
138 #define	SMB_ADS_USER_ACCT_CTL_TRUSTED_TO_AUTH_FOR_DELEGATION	0x01000000
139 
140 /*
141  * Length of "dc=" prefix.
142  */
143 #define	SMB_ADS_DN_PREFIX_LEN	3
144 
145 static char *smb_ads_computer_objcls[] = {
146 	"top", "person", "organizationalPerson",
147 	"user", "computer", NULL
148 };
149 
150 static char *smb_ads_share_objcls[] = {
151 	"top", "leaf", "connectionPoint", "volume", NULL
152 };
153 
154 /* Cached ADS server to communicate with */
155 static smb_ads_host_info_t *smb_ads_cached_host_info = NULL;
156 static mutex_t smb_ads_cached_host_mtx;
157 
158 /*
159  * SMB ADS config cache is maintained to facilitate the detection of
160  * changes in configuration that is relevant to AD selection.
161  */
162 typedef struct smb_ads_config {
163 	char c_site[SMB_ADS_SITE_MAX];
164 	smb_inaddr_t c_pdc;
165 	mutex_t c_mtx;
166 } smb_ads_config_t;
167 
168 static smb_ads_config_t smb_ads_cfg;
169 
170 
171 /* attribute/value pair */
172 typedef struct smb_ads_avpair {
173 	char *avp_attr;
174 	char *avp_val;
175 } smb_ads_avpair_t;
176 
177 /* query status */
178 typedef enum smb_ads_qstat {
179 	SMB_ADS_STAT_ERR = -2,
180 	SMB_ADS_STAT_DUP,
181 	SMB_ADS_STAT_NOT_FOUND,
182 	SMB_ADS_STAT_FOUND
183 } smb_ads_qstat_t;
184 
185 typedef struct smb_ads_host_list {
186 	int ah_cnt;
187 	smb_ads_host_info_t *ah_list;
188 } smb_ads_host_list_t;
189 
190 static smb_ads_handle_t *smb_ads_open_main(char *, char *, char *);
191 static int smb_ads_add_computer(smb_ads_handle_t *, int, char *);
192 static int smb_ads_modify_computer(smb_ads_handle_t *, int, char *);
193 static int smb_ads_computer_op(smb_ads_handle_t *, int, int, char *);
194 static smb_ads_qstat_t smb_ads_lookup_computer_n_attr(smb_ads_handle_t *,
195     smb_ads_avpair_t *, int, char *);
196 static int smb_ads_update_computer_cntrl_attr(smb_ads_handle_t *, int, char *);
197 static krb5_kvno smb_ads_lookup_computer_attr_kvno(smb_ads_handle_t *, char *);
198 static int smb_ads_gen_machine_passwd(char *, size_t);
199 static void smb_ads_free_cached_host(void);
200 static int smb_ads_get_spnset(char *, char **);
201 static void smb_ads_free_spnset(char **);
202 static int smb_ads_alloc_attr(LDAPMod **, int);
203 static void smb_ads_free_attr(LDAPMod **);
204 static int smb_ads_get_dc_level(smb_ads_handle_t *);
205 static smb_ads_host_info_t *smb_ads_select_dc(smb_ads_host_list_t *);
206 static smb_ads_qstat_t smb_ads_find_computer(smb_ads_handle_t *, char *);
207 static smb_ads_qstat_t smb_ads_getattr(LDAP *, LDAPMessage *,
208     smb_ads_avpair_t *);
209 static smb_ads_qstat_t smb_ads_get_qstat(smb_ads_handle_t *, LDAPMessage *,
210     smb_ads_avpair_t *);
211 static boolean_t smb_ads_match_pdc(smb_ads_host_info_t *);
212 static boolean_t smb_ads_is_sought_host(smb_ads_host_info_t *, char *);
213 static boolean_t smb_ads_is_same_domain(char *, char *);
214 static boolean_t smb_ads_is_pdc_configured(void);
215 static smb_ads_host_info_t *smb_ads_dup_host_info(smb_ads_host_info_t *);
216 static char *smb_ads_get_sharedn(const char *, const char *, const char *);
217 
218 /*
219  * smb_ads_init
220  *
221  * Initializes the ADS config cache.
222  */
223 void
224 smb_ads_init(void)
225 {
226 	(void) mutex_lock(&smb_ads_cfg.c_mtx);
227 	(void) smb_config_getstr(SMB_CI_ADS_SITE,
228 	    smb_ads_cfg.c_site, SMB_ADS_SITE_MAX);
229 	(void) smb_config_getip(SMB_CI_DOMAIN_SRV, &smb_ads_cfg.c_pdc);
230 	(void) mutex_unlock(&smb_ads_cfg.c_mtx);
231 }
232 
233 void
234 smb_ads_fini(void)
235 {
236 	smb_ads_free_cached_host();
237 }
238 
239 /*
240  * smb_ads_refresh
241  *
242  * This function will be called when smb/server SMF service is refreshed.
243  * Clearing the smb_ads_cached_host_info would allow the next DC
244  * discovery process to pick up an AD based on the new AD configuration.
245  */
246 void
247 smb_ads_refresh(void)
248 {
249 	char new_site[SMB_ADS_SITE_MAX];
250 	smb_inaddr_t new_pdc;
251 	boolean_t purge = B_FALSE;
252 
253 	(void) smb_config_getstr(SMB_CI_ADS_SITE, new_site, SMB_ADS_SITE_MAX);
254 	(void) smb_config_getip(SMB_CI_DOMAIN_SRV, &new_pdc);
255 	(void) mutex_lock(&smb_ads_cfg.c_mtx);
256 	if (smb_strcasecmp(smb_ads_cfg.c_site, new_site, 0)) {
257 		(void) strlcpy(smb_ads_cfg.c_site, new_site, SMB_ADS_SITE_MAX);
258 		purge = B_TRUE;
259 	}
260 
261 	smb_ads_cfg.c_pdc = new_pdc;
262 	(void) mutex_unlock(&smb_ads_cfg.c_mtx);
263 
264 	(void) mutex_lock(&smb_ads_cached_host_mtx);
265 	if (smb_ads_cached_host_info &&
266 	    smb_ads_is_pdc_configured() &&
267 	    !smb_ads_match_pdc(smb_ads_cached_host_info))
268 		purge = B_TRUE;
269 	(void) mutex_unlock(&smb_ads_cached_host_mtx);
270 
271 	if (purge)
272 		smb_ads_free_cached_host();
273 }
274 
275 
276 
277 static boolean_t
278 smb_ads_is_pdc_configured(void)
279 {
280 	boolean_t configured;
281 
282 	(void) mutex_lock(&smb_ads_cfg.c_mtx);
283 	configured = !smb_inet_iszero(&smb_ads_cfg.c_pdc);
284 	(void) mutex_unlock(&smb_ads_cfg.c_mtx);
285 
286 	return (configured);
287 }
288 
289 /*
290  * smb_ads_build_unc_name
291  *
292  * Construct the UNC name of the share object in the format of
293  * \\hostname.domain\shareUNC
294  *
295  * Returns 0 on success, -1 on error.
296  */
297 int
298 smb_ads_build_unc_name(char *unc_name, int maxlen,
299     const char *hostname, const char *shareUNC)
300 {
301 	char my_domain[MAXHOSTNAMELEN];
302 
303 	if (smb_getfqdomainname(my_domain, sizeof (my_domain)) != 0)
304 		return (-1);
305 
306 	(void) snprintf(unc_name, maxlen, "\\\\%s.%s\\%s",
307 	    hostname, my_domain, shareUNC);
308 	return (0);
309 }
310 
311 /*
312  * smb_ads_ldap_ping
313  *
314  * This is used to bind to an ADS server to see
315  * if it is still alive.
316  *
317  * Returns:
318  *   -1: error
319  *    0: successful
320  */
321 /*ARGSUSED*/
322 static int
323 smb_ads_ldap_ping(smb_ads_host_info_t *ads_host)
324 {
325 	int ldversion = LDAP_VERSION3, status, timeoutms = 5 * 1000;
326 	LDAP *ld = NULL;
327 
328 	ld = ldap_init(ads_host->name, ads_host->port);
329 	if (ld == NULL)
330 		return (-1);
331 
332 	ldversion = LDAP_VERSION3;
333 	(void) ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, &ldversion);
334 	/* setup TCP/IP connect timeout */
335 	(void) ldap_set_option(ld, LDAP_X_OPT_CONNECT_TIMEOUT, &timeoutms);
336 
337 	status = ldap_bind_s(ld, "", NULL, LDAP_AUTH_SIMPLE);
338 
339 	if (status != LDAP_SUCCESS) {
340 		(void) ldap_unbind(ld);
341 		return (-1);
342 	}
343 
344 	(void) ldap_unbind(ld);
345 
346 	return (0);
347 }
348 
349 /*
350  * The cached ADS host is no longer valid if one of the following criteria
351  * is satisfied:
352  *
353  * 1) not in the specified domain
354  * 2) not the sought host (if specified)
355  * 3) not reachable
356  *
357  * The caller is responsible for acquiring the smb_ads_cached_host_mtx lock
358  * prior to calling this function.
359  *
360  * Return B_TRUE if the cache host is still valid. Otherwise, return B_FALSE.
361  */
362 static boolean_t
363 smb_ads_validate_cache_host(char *domain, char *srv)
364 {
365 	if (!smb_ads_cached_host_info)
366 		return (B_FALSE);
367 
368 	if (!smb_ads_is_same_domain(smb_ads_cached_host_info->name, domain))
369 		return (B_FALSE);
370 
371 	if (smb_ads_ldap_ping(smb_ads_cached_host_info) == 0) {
372 		if (!srv)
373 			return (B_TRUE);
374 
375 		if (smb_ads_is_sought_host(smb_ads_cached_host_info, srv))
376 			return (B_TRUE);
377 	}
378 
379 	return (B_FALSE);
380 }
381 
382 /*
383  * smb_ads_is_sought_host
384  *
385  * Returns true, if the sought host name matches the input host (host) name.
386  * The sought host is expected to be in Fully Qualified Domain Name (FQDN)
387  * format.
388  */
389 static boolean_t
390 smb_ads_is_sought_host(smb_ads_host_info_t *host, char *sought_host_name)
391 {
392 	if ((host == NULL) || (sought_host_name == NULL))
393 		return (B_FALSE);
394 
395 	if (smb_strcasecmp(host->name, sought_host_name, 0))
396 		return (B_FALSE);
397 
398 	return (B_TRUE);
399 }
400 
401 /*
402  * smb_ads_match_hosts_same_domain
403  *
404  * Returns true, if the cached ADS host is in the same domain as the
405  * current (given) domain.
406  */
407 static boolean_t
408 smb_ads_is_same_domain(char *cached_host_name, char *current_domain)
409 {
410 	char *cached_host_domain;
411 
412 	if ((cached_host_name == NULL) || (current_domain == NULL))
413 		return (B_FALSE);
414 
415 	cached_host_domain = strchr(cached_host_name, '.');
416 	if (cached_host_domain == NULL)
417 		return (B_FALSE);
418 
419 	++cached_host_domain;
420 	if (smb_strcasecmp(cached_host_domain, current_domain, 0))
421 		return (B_FALSE);
422 
423 	return (B_TRUE);
424 }
425 
426 /*
427  * smb_ads_skip_ques_sec
428  * Skips the question section.
429  */
430 static int
431 smb_ads_skip_ques_sec(int qcnt, uchar_t **ptr, uchar_t *eom)
432 {
433 	int i, len;
434 
435 	for (i = 0; i < qcnt; i++) {
436 		if ((len = dn_skipname(*ptr, eom)) < 0)
437 			return (-1);
438 
439 		*ptr += len + QFIXEDSZ;
440 	}
441 
442 	return (0);
443 }
444 
445 /*
446  * smb_ads_decode_host_ans_sec
447  * Decodes ADS hosts, priority, weight and port number from the answer
448  * section based on the current buffer pointer.
449  */
450 static int
451 smb_ads_decode_host_ans_sec(int ans_cnt, uchar_t **ptr, uchar_t *eom,
452     uchar_t *buf, smb_ads_host_info_t *ads_host_list)
453 {
454 	int i, len;
455 	smb_ads_host_info_t *ads_host;
456 
457 	for (i = 0; i < ans_cnt; i++) {
458 		ads_host = &ads_host_list[i];
459 
460 		if ((len = dn_skipname(*ptr, eom)) < 0)
461 			return (-1);
462 
463 
464 		*ptr += len;
465 
466 		/* skip type, class, ttl */
467 		*ptr += 8;
468 		/* data size */
469 		*ptr += 2;
470 
471 		/* Get priority, weight */
472 		/* LINTED: E_CONSTANT_CONDITION */
473 		NS_GET16(ads_host->priority, *ptr);
474 		/* LINTED: E_CONSTANT_CONDITION */
475 		NS_GET16(ads_host->weight, *ptr);
476 
477 		/* port */
478 		/* LINTED: E_CONSTANT_CONDITION */
479 		NS_GET16(ads_host->port, *ptr);
480 		/* domain name */
481 		len = dn_expand(buf, eom, *ptr, ads_host->name, MAXHOSTNAMELEN);
482 		if (len < 0)
483 			return (-1);
484 
485 		*ptr += len;
486 	}
487 
488 	return (0);
489 }
490 
491 /*
492  * smb_ads_skip_auth_sec
493  * Skips the authority section.
494  */
495 static int
496 smb_ads_skip_auth_sec(int ns_cnt, uchar_t **ptr, uchar_t *eom)
497 {
498 	int i, len;
499 	uint16_t size;
500 
501 	for (i = 0; i < ns_cnt; i++) {
502 		if ((len = dn_skipname(*ptr, eom)) < 0)
503 			return (-1);
504 
505 		*ptr += len;
506 		/* skip type, class, ttl */
507 		*ptr += 8;
508 		/* get len of data */
509 		/* LINTED: E_CONSTANT_CONDITION */
510 		NS_GET16(size, *ptr);
511 		if ((*ptr + size) > eom)
512 			return (-1);
513 
514 		*ptr += size;
515 	}
516 
517 	return (0);
518 }
519 
520 /*
521  * smb_ads_decode_host_ip
522  *
523  * Decodes ADS hosts and IP Addresses from the additional section based
524  * on the current buffer pointer.
525  */
526 static int
527 smb_ads_decode_host_ip(int addit_cnt, int ans_cnt, uchar_t **ptr,
528     uchar_t *eom, uchar_t *buf, smb_ads_host_info_t *ads_host_list)
529 {
530 	int i, j, len;
531 	smb_inaddr_t ipaddr;
532 	char hostname[MAXHOSTNAMELEN];
533 	char *name;
534 	uint16_t size = 0;
535 
536 	for (i = 0; i < addit_cnt; i++) {
537 
538 		/* domain name */
539 		len = dn_expand(buf, eom, *ptr, hostname, MAXHOSTNAMELEN);
540 		if (len < 0)
541 			return (-1);
542 
543 		*ptr += len;
544 
545 		/* skip type, class, TTL, data len */
546 		*ptr += 8;
547 		/* LINTED: E_CONSTANT_CONDITION */
548 		NS_GET16(size, *ptr);
549 
550 		if (size == INADDRSZ) {
551 			/* LINTED: E_CONSTANT_CONDITION */
552 			NS_GET32(ipaddr.a_ipv4, *ptr);
553 			ipaddr.a_ipv4 = htonl(ipaddr.a_ipv4);
554 			ipaddr.a_family = AF_INET;
555 		} else if (size == IN6ADDRSZ) {
556 #ifdef BIG_ENDIAN
557 			bcopy(*ptr, &ipaddr.a_ipv6, IN6ADDRSZ);
558 #else
559 			for (i = 0; i < IN6ADDRSZ; i++)
560 				(uint8_t *)(ipaddr.a_ipv6)
561 				    [IN6ADDRSZ-1-i] = *(*ptr+i);
562 #endif
563 			ipaddr.a_family = AF_INET6;
564 			*ptr += size;
565 		}
566 
567 		/*
568 		 * find the host in the list of DC records from
569 		 * the answer section, that matches the host in the
570 		 * additional section, and set its IP address.
571 		 */
572 		for (j = 0; j < ans_cnt; j++) {
573 			if ((name = ads_host_list[j].name) == NULL)
574 				continue;
575 			if (smb_strcasecmp(name, hostname, 0) == 0) {
576 				ads_host_list[j].ipaddr = ipaddr;
577 			}
578 		}
579 	}
580 	return (0);
581 }
582 
583 /*
584  * smb_ads_dup_host_info
585  *
586  * Duplicates the passed smb_ads_host_info_t structure.
587  * Caller must free memory allocated by this method.
588  *
589  * Returns a reference to the duplicated smb_ads_host_info_t structure.
590  * Returns NULL on error.
591  */
592 static smb_ads_host_info_t *
593 smb_ads_dup_host_info(smb_ads_host_info_t *ads_host)
594 {
595 	smb_ads_host_info_t *dup_host;
596 
597 	if (ads_host == NULL)
598 		return (NULL);
599 
600 	dup_host = malloc(sizeof (smb_ads_host_info_t));
601 
602 	if (dup_host != NULL)
603 		bcopy(ads_host, dup_host, sizeof (smb_ads_host_info_t));
604 
605 	return (dup_host);
606 }
607 
608 /*
609  * smb_ads_hlist_alloc
610  */
611 static smb_ads_host_list_t *
612 smb_ads_hlist_alloc(int count)
613 {
614 	int size;
615 	smb_ads_host_list_t *hlist;
616 
617 	if (count == 0)
618 		return (NULL);
619 
620 	size = sizeof (smb_ads_host_info_t) * count;
621 	hlist = (smb_ads_host_list_t *)malloc(sizeof (smb_ads_host_list_t));
622 	if (hlist == NULL)
623 		return (NULL);
624 
625 	hlist->ah_cnt = count;
626 	hlist->ah_list = (smb_ads_host_info_t *)malloc(size);
627 	if (hlist->ah_list == NULL) {
628 		free(hlist);
629 		return (NULL);
630 	}
631 
632 	bzero(hlist->ah_list, size);
633 	return (hlist);
634 }
635 
636 /*
637  * smb_ads_hlist_free
638  */
639 static void
640 smb_ads_hlist_free(smb_ads_host_list_t *host_list)
641 {
642 	if (host_list == NULL)
643 		return;
644 
645 	free(host_list->ah_list);
646 	free(host_list);
647 }
648 
649 /*
650  * smb_ads_query_dns_server
651  *
652  * This routine sends a DNS service location (SRV) query message to the
653  * DNS server via TCP to query it for a list of ADS server(s). Once a reply
654  * is received, the reply message is parsed to get the hostname. If there are IP
655  * addresses populated in the additional section then the additional section
656  * is parsed to obtain the IP addresses.
657  *
658  * The service location of _ldap._tcp.dc.msdcs.<ADS domain> is used to
659  * guarantee that Microsoft domain controllers are returned.  Microsoft domain
660  * controllers are also ADS servers.
661  *
662  * The ADS hostnames are stored in the answer section of the DNS reply message.
663  * The IP addresses are stored in the additional section.
664  *
665  * The DNS reply message may be in compress formed.  The compression is done
666  * on repeating domain name label in the message.  i.e hostname.
667  *
668  * Upon successful completion, host list of ADS server(s) is returned.
669  */
670 static smb_ads_host_list_t *
671 smb_ads_query_dns_server(char *domain, char *msdcs_svc_name)
672 {
673 	smb_ads_host_list_t *hlist = NULL;
674 	int len, qcnt, ans_cnt, ns_cnt, addit_cnt;
675 	uchar_t *ptr, *eom;
676 	struct __res_state res_state;
677 	union {
678 		HEADER hdr;
679 		uchar_t buf[NS_MAXMSG];
680 	} msg;
681 
682 	bzero(&res_state, sizeof (struct __res_state));
683 	if (res_ninit(&res_state) < 0)
684 		return (NULL);
685 
686 	/* use TCP */
687 	res_state.options |= RES_USEVC;
688 
689 	len = res_nquerydomain(&res_state, msdcs_svc_name, domain,
690 	    C_IN, T_SRV, msg.buf, sizeof (msg.buf));
691 
692 	if (len < 0) {
693 		syslog(LOG_NOTICE, "DNS query for %s failed: %s",
694 		    msdcs_svc_name, hstrerror(res_state.res_h_errno));
695 		res_ndestroy(&res_state);
696 		return (NULL);
697 	}
698 
699 	if (len > sizeof (msg.buf)) {
700 		syslog(LOG_NOTICE,
701 		    "DNS query for %s failed: too big", msdcs_svc_name);
702 		res_ndestroy(&res_state);
703 		return (NULL);
704 	}
705 
706 	/* parse the reply, skip header and question sections */
707 	ptr = msg.buf + sizeof (msg.hdr);
708 	eom = msg.buf + len;
709 
710 	/* check truncated message bit */
711 	if (msg.hdr.tc)
712 		syslog(LOG_NOTICE,
713 		    "DNS query for %s failed: truncated", msdcs_svc_name);
714 
715 	qcnt = ntohs(msg.hdr.qdcount);
716 	ans_cnt = ntohs(msg.hdr.ancount);
717 	ns_cnt = ntohs(msg.hdr.nscount);
718 	addit_cnt = ntohs(msg.hdr.arcount);
719 
720 	if (smb_ads_skip_ques_sec(qcnt, &ptr, eom) != 0) {
721 		res_ndestroy(&res_state);
722 		return (NULL);
723 	}
724 
725 	hlist = smb_ads_hlist_alloc(ans_cnt);
726 	if (hlist == NULL) {
727 		res_ndestroy(&res_state);
728 		return (NULL);
729 	}
730 
731 	/* walk through the answer section */
732 	if (smb_ads_decode_host_ans_sec(ans_cnt, &ptr, eom, msg.buf,
733 	    hlist->ah_list) != 0) {
734 		smb_ads_hlist_free(hlist);
735 		res_ndestroy(&res_state);
736 		return (NULL);
737 	}
738 
739 	/* check authority section */
740 	if (ns_cnt > 0) {
741 		if (smb_ads_skip_auth_sec(ns_cnt, &ptr, eom) != 0) {
742 			smb_ads_hlist_free(hlist);
743 			res_ndestroy(&res_state);
744 			return (NULL);
745 		}
746 	}
747 
748 	/*
749 	 * Check additional section to get IP address of ADS host.
750 	 */
751 	if (addit_cnt > 0) {
752 		if (smb_ads_decode_host_ip(addit_cnt, ans_cnt,
753 		    &ptr, eom, msg.buf, hlist->ah_list) != 0) {
754 			smb_ads_hlist_free(hlist);
755 			res_ndestroy(&res_state);
756 			return (NULL);
757 		}
758 	}
759 
760 	res_ndestroy(&res_state);
761 	return (hlist);
762 }
763 
764 /*
765  * smb_ads_get_site_service
766  *
767  * Gets the msdcs SRV RR for the specified site.
768  */
769 static void
770 smb_ads_get_site_service(char *site_service, size_t len)
771 {
772 	(void) mutex_lock(&smb_ads_cfg.c_mtx);
773 	if (*smb_ads_cfg.c_site == '\0')
774 		*site_service = '\0';
775 	else
776 		(void) snprintf(site_service, len,
777 		    SMB_ADS_MSDCS_SRV_SITE_RR, smb_ads_cfg.c_site);
778 
779 	(void) mutex_unlock(&smb_ads_cfg.c_mtx);
780 }
781 
782 /*
783  * smb_ads_getipnodebyname
784  *
785  * This method gets the IP address by doing a host name lookup.
786  */
787 static int
788 smb_ads_getipnodebyname(smb_ads_host_info_t *hentry)
789 {
790 	struct hostent *h;
791 	int error;
792 
793 	switch (hentry->ipaddr.a_family) {
794 	case AF_INET6:
795 		h = getipnodebyname(hentry->name, hentry->ipaddr.a_family,
796 		    AI_DEFAULT, &error);
797 		if (h == NULL || h->h_length != IPV6_ADDR_LEN)
798 			return (-1);
799 		break;
800 
801 	case AF_INET:
802 		h = getipnodebyname(hentry->name, hentry->ipaddr.a_family,
803 		    0, &error);
804 		if (h == NULL || h->h_length != INADDRSZ)
805 			return (-1);
806 		break;
807 
808 	default:
809 		return (-1);
810 	}
811 	bcopy(*(h->h_addr_list), &hentry->ipaddr.a_ip, h->h_length);
812 	freehostent(h);
813 	return (0);
814 }
815 
816 /*
817  *  Checks the IP address to see if it is zero.  If so, then do a host
818  *  lookup by hostname to get the IP address based on the IP family.
819  *
820  *  If the family is unknown then do a lookup by hostame based on the
821  *  setting of the SMB_CI_IPV6_ENABLE property.
822  */
823 static int
824 smb_ads_set_ipaddr(smb_ads_host_info_t *hentry)
825 {
826 	if (smb_inet_iszero(&hentry->ipaddr)) {
827 		if (smb_ads_getipnodebyname(hentry) < 0)
828 			return (-1);
829 	} else if (SMB_ADS_AF_UNKNOWN(hentry)) {
830 		hentry->ipaddr.a_family =
831 		    smb_config_getbool(SMB_CI_IPV6_ENABLE) ? AF_INET6 : AF_INET;
832 
833 		if (smb_ads_getipnodebyname(hentry) < 0) {
834 			hentry->ipaddr.a_family = 0;
835 			return (-1);
836 		}
837 	}
838 
839 	return (0);
840 }
841 
842 /*
843  * smb_ads_find_host
844  *
845  * Finds an ADS host in a given domain.
846  *
847  * If the cached host is valid, it will be used. Otherwise, a DC will
848  * be selected based on the following criteria:
849  *
850  * 1) pdc (aka preferred DC) configuration
851  * 2) AD site configuration - the scope of the DNS lookup will be
852  * restricted to the specified site.
853  * 3) DC on the same subnet
854  * 4) DC with the lowest priority/highest weight
855  *
856  * The above items are listed in decreasing preference order. The selected
857  * DC must be online.
858  *
859  * If this function is called during domain join, the specified kpasswd server
860  * takes precedence over preferred DC, AD site, and so on.
861  *
862  * Parameters:
863  *   domain: fully-qualified domain name.
864  *   kpasswd_srv: fully-quailifed hostname of the kpasswd server.
865  *
866  * Returns:
867  *   A copy of the cached host info is returned. The caller is responsible
868  *   for deallocating the memory returned by this function.
869  */
870 /*ARGSUSED*/
871 smb_ads_host_info_t *
872 smb_ads_find_host(char *domain, char *kpasswd_srv)
873 {
874 	int i;
875 	char site_service[MAXHOSTNAMELEN];
876 	smb_ads_host_list_t *hlist, *hlist2;
877 	smb_ads_host_info_t *hlistp = NULL, *host = NULL;
878 	smb_ads_host_info_t *found_kpasswd_srv = NULL;
879 	smb_ads_host_info_t *found_pdc = NULL;
880 
881 	if ((kpasswd_srv) && (*kpasswd_srv == '\0'))
882 		kpasswd_srv = NULL;
883 
884 	(void) mutex_lock(&smb_ads_cached_host_mtx);
885 	if (smb_ads_validate_cache_host(domain, kpasswd_srv)) {
886 		host = smb_ads_dup_host_info(smb_ads_cached_host_info);
887 		(void) mutex_unlock(&smb_ads_cached_host_mtx);
888 		return (host);
889 	}
890 
891 	(void) mutex_unlock(&smb_ads_cached_host_mtx);
892 	smb_ads_free_cached_host();
893 
894 	/*
895 	 * First look for ADS hosts in ADS site if configured.  Then try
896 	 * without ADS site info.
897 	 */
898 	hlist = NULL;
899 	smb_ads_get_site_service(site_service, MAXHOSTNAMELEN);
900 
901 	/*
902 	 * If we're given an AD, the DNS SRV RR lookup should not be restricted
903 	 * to the specified site since there is no guarantee that the specified
904 	 * AD is in the specified site.
905 	 */
906 	if (*site_service != '\0' && !kpasswd_srv &&
907 	    !smb_ads_is_pdc_configured())
908 		hlist = smb_ads_query_dns_server(domain, site_service);
909 
910 	if (!hlist)
911 		hlist = smb_ads_query_dns_server(domain,
912 		    SMB_ADS_MSDCS_SRV_DC_RR);
913 
914 	if ((hlist == NULL) || (hlist->ah_list == NULL) || (hlist->ah_cnt == 0))
915 		return (NULL);
916 
917 	for (i = 0, hlistp = hlist->ah_list; i < hlist->ah_cnt; i++) {
918 		if (smb_ads_set_ipaddr(&hlistp[i]) < 0)
919 			continue;
920 
921 		if (smb_ads_is_sought_host(&hlistp[i], kpasswd_srv))
922 			found_kpasswd_srv = &hlistp[i];
923 
924 		if (smb_ads_match_pdc(&hlistp[i]))
925 			found_pdc = &hlistp[i];
926 	}
927 
928 	if (found_kpasswd_srv && smb_ads_ldap_ping(found_kpasswd_srv) == 0) {
929 		host = found_kpasswd_srv;
930 		goto update_cache;
931 	}
932 
933 	if (found_pdc && smb_ads_ldap_ping(found_pdc) == 0) {
934 		host = found_pdc;
935 		goto update_cache;
936 	}
937 
938 	/*
939 	 * If the specified DC (kpasswd_srv or pdc) is not found, fallback
940 	 * to find a DC in the specified AD site.
941 	 */
942 	if (*site_service != '\0' &&
943 	    (kpasswd_srv || smb_ads_is_pdc_configured())) {
944 		hlist2 = smb_ads_query_dns_server(domain, site_service);
945 		if (hlist2 && hlist2->ah_list && hlist2->ah_cnt != 0) {
946 			smb_ads_hlist_free(hlist);
947 			hlist = hlist2;
948 			hlistp = hlist->ah_list;
949 
950 			for (i = 0; i < hlist->ah_cnt; i++)
951 				(void) smb_ads_set_ipaddr(&hlistp[i]);
952 		}
953 	}
954 
955 	/* Select DC from DC list */
956 	host = smb_ads_select_dc(hlist);
957 
958 update_cache:
959 	if (host) {
960 		(void) mutex_lock(&smb_ads_cached_host_mtx);
961 		if (!smb_ads_cached_host_info)
962 			smb_ads_cached_host_info = smb_ads_dup_host_info(host);
963 		host = smb_ads_dup_host_info(smb_ads_cached_host_info);
964 		(void) mutex_unlock(&smb_ads_cached_host_mtx);
965 	}
966 
967 	smb_ads_hlist_free(hlist);
968 	return (host);
969 }
970 
971 /*
972  * Return the number of dots in a string.
973  */
974 static int
975 smb_ads_count_dots(const char *s)
976 {
977 	int ndots = 0;
978 
979 	while (*s) {
980 		if (*s++ == '.')
981 			ndots++;
982 	}
983 
984 	return (ndots);
985 }
986 
987 /*
988  * Convert a domain name in dot notation to distinguished name format,
989  * for example: sun.com -> dc=sun,dc=com.
990  *
991  * Returns a pointer to an allocated buffer containing the distinguished
992  * name.
993  */
994 static char *
995 smb_ads_convert_domain(const char *domain_name)
996 {
997 	const char *s;
998 	char *dn_name;
999 	char buf[2];
1000 	int ndots;
1001 	int len;
1002 
1003 	if (domain_name == NULL || *domain_name == 0)
1004 		return (NULL);
1005 
1006 	ndots = smb_ads_count_dots(domain_name);
1007 	++ndots;
1008 	len = strlen(domain_name) + (ndots * SMB_ADS_DN_PREFIX_LEN) + 1;
1009 
1010 	if ((dn_name = malloc(len)) == NULL)
1011 		return (NULL);
1012 
1013 	bzero(dn_name, len);
1014 	(void) strlcpy(dn_name, "dc=", len);
1015 
1016 	buf[1] = '\0';
1017 	s = domain_name;
1018 
1019 	while (*s) {
1020 		if (*s == '.') {
1021 			(void) strlcat(dn_name, ",dc=", len);
1022 		} else {
1023 			buf[0] = *s;
1024 			(void) strlcat(dn_name, buf, len);
1025 		}
1026 		++s;
1027 	}
1028 
1029 	return (dn_name);
1030 }
1031 
1032 /*
1033  * smb_ads_free_cached_host
1034  *
1035  * Free the memory use by the global smb_ads_cached_host_info & set it to NULL.
1036  */
1037 static void
1038 smb_ads_free_cached_host(void)
1039 {
1040 	(void) mutex_lock(&smb_ads_cached_host_mtx);
1041 	if (smb_ads_cached_host_info) {
1042 		free(smb_ads_cached_host_info);
1043 		smb_ads_cached_host_info = NULL;
1044 	}
1045 	(void) mutex_unlock(&smb_ads_cached_host_mtx);
1046 }
1047 
1048 /*
1049  * smb_ads_open
1050  * Open a LDAP connection to an ADS server if the system is in domain mode.
1051  * Acquire both Kerberos TGT and LDAP service tickets for the host principal.
1052  *
1053  * This function should only be called after the system is successfully joined
1054  * to a domain.
1055  */
1056 smb_ads_handle_t *
1057 smb_ads_open(void)
1058 {
1059 	char domain[MAXHOSTNAMELEN];
1060 
1061 	if (smb_config_get_secmode() != SMB_SECMODE_DOMAIN)
1062 		return (NULL);
1063 
1064 	if (smb_getfqdomainname(domain, MAXHOSTNAMELEN) != 0)
1065 		return (NULL);
1066 
1067 	return (smb_ads_open_main(domain, NULL, NULL));
1068 }
1069 
1070 static int
1071 smb_ads_saslcallback(LDAP *ld, unsigned flags, void *defaults, void *prompts)
1072 {
1073 	NOTE(ARGUNUSED(ld, defaults));
1074 	sasl_interact_t *interact;
1075 
1076 	if (prompts == NULL || flags != LDAP_SASL_INTERACTIVE)
1077 		return (LDAP_PARAM_ERROR);
1078 
1079 	/* There should be no extra arguemnts for SASL/GSSAPI authentication */
1080 	for (interact = prompts; interact->id != SASL_CB_LIST_END;
1081 	    interact++) {
1082 		interact->result = NULL;
1083 		interact->len = 0;
1084 	}
1085 	return (LDAP_SUCCESS);
1086 }
1087 
1088 /*
1089  * smb_ads_open_main
1090  * Open a LDAP connection to an ADS server.
1091  * If ADS is enabled and the administrative username, password, and
1092  * ADS domain are defined then query DNS to find an ADS server if this is the
1093  * very first call to this routine.  After an ADS server is found then this
1094  * server will be used everytime this routine is called until the system is
1095  * rebooted or the ADS server becomes unavailable then an ADS server will
1096  * be queried again.  After the connection is made then an ADS handle
1097  * is created to be returned.
1098  *
1099  * After the LDAP connection, the LDAP version will be set to 3 using
1100  * ldap_set_option().
1101  *
1102  * The LDAP connection is bound before the ADS handle is returned.
1103  * Parameters:
1104  *   domain - fully-qualified domain name
1105  *   user   - the user account for whom the Kerberos TGT ticket and ADS
1106  *            service tickets are acquired.
1107  *   password - password of the specified user
1108  *
1109  * Returns:
1110  *   NULL              : can't connect to ADS server or other errors
1111  *   smb_ads_handle_t* : handle to ADS server
1112  */
1113 static smb_ads_handle_t *
1114 smb_ads_open_main(char *domain, char *user, char *password)
1115 {
1116 	smb_ads_handle_t *ah;
1117 	LDAP *ld;
1118 	int version = 3;
1119 	smb_ads_host_info_t *ads_host = NULL;
1120 	int rc;
1121 
1122 	if (user != NULL) {
1123 		if (smb_kinit(user, password) == 0)
1124 			return (NULL);
1125 		user = NULL;
1126 		password = NULL;
1127 	}
1128 
1129 	ads_host = smb_ads_find_host(domain, NULL);
1130 	if (ads_host == NULL)
1131 		return (NULL);
1132 
1133 	ah = (smb_ads_handle_t *)malloc(sizeof (smb_ads_handle_t));
1134 	if (ah == NULL) {
1135 		free(ads_host);
1136 		return (NULL);
1137 	}
1138 
1139 	(void) memset(ah, 0, sizeof (smb_ads_handle_t));
1140 
1141 	if ((ld = ldap_init(ads_host->name, ads_host->port)) == NULL) {
1142 		smb_ads_free_cached_host();
1143 		free(ah);
1144 		free(ads_host);
1145 		return (NULL);
1146 	}
1147 
1148 	if (ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, &version)
1149 	    != LDAP_SUCCESS) {
1150 		smb_ads_free_cached_host();
1151 		free(ah);
1152 		free(ads_host);
1153 		(void) ldap_unbind(ld);
1154 		return (NULL);
1155 	}
1156 
1157 	(void) ldap_set_option(ld, LDAP_OPT_REFERRALS, LDAP_OPT_OFF);
1158 	ah->ld = ld;
1159 	ah->domain = strdup(domain);
1160 
1161 	if (ah->domain == NULL) {
1162 		smb_ads_close(ah);
1163 		free(ads_host);
1164 		return (NULL);
1165 	}
1166 
1167 	/*
1168 	 * ah->domain is often used for generating service principal name.
1169 	 * Convert it to lower case for RFC 4120 section 6.2.1 conformance.
1170 	 */
1171 	(void) smb_strlwr(ah->domain);
1172 	ah->domain_dn = smb_ads_convert_domain(domain);
1173 	if (ah->domain_dn == NULL) {
1174 		smb_ads_close(ah);
1175 		free(ads_host);
1176 		return (NULL);
1177 	}
1178 
1179 	ah->hostname = strdup(ads_host->name);
1180 	if (ah->hostname == NULL) {
1181 		smb_ads_close(ah);
1182 		free(ads_host);
1183 		return (NULL);
1184 	}
1185 	(void) mutex_lock(&smb_ads_cfg.c_mtx);
1186 	if (*smb_ads_cfg.c_site != '\0') {
1187 		if ((ah->site = strdup(smb_ads_cfg.c_site)) == NULL) {
1188 			smb_ads_close(ah);
1189 			(void) mutex_unlock(&smb_ads_cfg.c_mtx);
1190 			free(ads_host);
1191 			return (NULL);
1192 		}
1193 	} else {
1194 		ah->site = NULL;
1195 	}
1196 	(void) mutex_unlock(&smb_ads_cfg.c_mtx);
1197 
1198 	rc = ldap_sasl_interactive_bind_s(ah->ld, "", "GSSAPI", NULL, NULL,
1199 	    LDAP_SASL_INTERACTIVE, &smb_ads_saslcallback, NULL);
1200 	if (rc != LDAP_SUCCESS) {
1201 		syslog(LOG_ERR, "ldal_sasl_interactive_bind_s failed (%s)",
1202 		    ldap_err2string(rc));
1203 		smb_ads_close(ah);
1204 		free(ads_host);
1205 		return (NULL);
1206 	}
1207 
1208 	free(ads_host);
1209 	return (ah);
1210 }
1211 
1212 /*
1213  * smb_ads_close
1214  * Close connection to ADS server and free memory allocated for ADS handle.
1215  * LDAP unbind is called here.
1216  * Parameters:
1217  *   ah: handle to ADS server
1218  * Returns:
1219  *   void
1220  */
1221 void
1222 smb_ads_close(smb_ads_handle_t *ah)
1223 {
1224 	if (ah == NULL)
1225 		return;
1226 	/* close and free connection resources */
1227 	if (ah->ld)
1228 		(void) ldap_unbind(ah->ld);
1229 
1230 	free(ah->domain);
1231 	free(ah->domain_dn);
1232 	free(ah->hostname);
1233 	free(ah->site);
1234 	free(ah);
1235 }
1236 
1237 /*
1238  * smb_ads_alloc_attr
1239  *
1240  * Since the attrs is a null-terminated array, all elements
1241  * in the array (except the last one) will point to allocated
1242  * memory.
1243  */
1244 static int
1245 smb_ads_alloc_attr(LDAPMod *attrs[], int num)
1246 {
1247 	int i;
1248 
1249 	bzero(attrs, num * sizeof (LDAPMod *));
1250 	for (i = 0; i < (num - 1); i++) {
1251 		attrs[i] = (LDAPMod *)malloc(sizeof (LDAPMod));
1252 		if (attrs[i] == NULL) {
1253 			smb_ads_free_attr(attrs);
1254 			return (-1);
1255 		}
1256 	}
1257 
1258 	return (0);
1259 }
1260 
1261 /*
1262  * smb_ads_free_attr
1263  * Free memory allocated when publishing a share.
1264  * Parameters:
1265  *   attrs: an array of LDAPMod pointers
1266  * Returns:
1267  *   None
1268  */
1269 static void
1270 smb_ads_free_attr(LDAPMod *attrs[])
1271 {
1272 	int i;
1273 	for (i = 0; attrs[i]; i++) {
1274 		free(attrs[i]);
1275 	}
1276 }
1277 
1278 /*
1279  * smb_ads_get_spnset
1280  *
1281  * Derives the core set of SPNs based on the FQHN.
1282  * The spn_set is a null-terminated array of char pointers.
1283  *
1284  * Returns 0 upon success. Otherwise, returns -1.
1285  */
1286 static int
1287 smb_ads_get_spnset(char *fqhost, char **spn_set)
1288 {
1289 	int i;
1290 
1291 	bzero(spn_set, (SMBKRB5_SPN_IDX_MAX + 1) * sizeof (char *));
1292 	for (i = 0; i < SMBKRB5_SPN_IDX_MAX; i++) {
1293 		if ((spn_set[i] = smb_krb5_get_spn(i, fqhost)) == NULL) {
1294 			smb_ads_free_spnset(spn_set);
1295 			return (-1);
1296 		}
1297 	}
1298 
1299 	return (0);
1300 }
1301 
1302 /*
1303  * smb_ads_free_spnset
1304  *
1305  * Free the memory allocated for the set of SPNs.
1306  */
1307 static void
1308 smb_ads_free_spnset(char **spn_set)
1309 {
1310 	int i;
1311 	for (i = 0; spn_set[i]; i++)
1312 		free(spn_set[i]);
1313 }
1314 
1315 /*
1316  * Returns share DN in an allocated buffer.  The format of the DN is
1317  * cn=<sharename>,<container RDNs>,<domain DN>
1318  *
1319  * If the domain DN is not included in the container parameter,
1320  * then it will be appended to create the share DN.
1321  *
1322  * The caller must free the allocated buffer.
1323  */
1324 static char *
1325 smb_ads_get_sharedn(const char *sharename, const char *container,
1326     const char *domain_dn)
1327 {
1328 	char *share_dn;
1329 	int rc, offset, container_len, domain_len;
1330 	boolean_t append_domain = B_TRUE;
1331 
1332 	container_len = strlen(container);
1333 	domain_len = strlen(domain_dn);
1334 
1335 	if (container_len >= domain_len) {
1336 
1337 		/* offset to last domain_len characters */
1338 		offset = container_len - domain_len;
1339 
1340 		if (smb_strcasecmp(container + offset,
1341 		    domain_dn, domain_len) == 0)
1342 			append_domain = B_FALSE;
1343 	}
1344 
1345 	if (append_domain)
1346 		rc = asprintf(&share_dn, "cn=%s,%s,%s", sharename,
1347 		    container, domain_dn);
1348 	else
1349 		rc = asprintf(&share_dn, "cn=%s,%s", sharename,
1350 		    container);
1351 
1352 	return ((rc == -1) ? NULL : share_dn);
1353 }
1354 
1355 /*
1356  * smb_ads_add_share
1357  * Call by smb_ads_publish_share to create share object in ADS.
1358  * This routine specifies the attributes of an ADS LDAP share object. The first
1359  * attribute and values define the type of ADS object, the share object.  The
1360  * second attribute and value define the UNC of the share data for the share
1361  * object. The LDAP synchronous add command is used to add the object into ADS.
1362  * The container location to add the object needs to specified.
1363  * Parameters:
1364  *   ah          : handle to ADS server
1365  *   adsShareName: name of share object to be created in ADS
1366  *   shareUNC    : share name on NetForce
1367  *   adsContainer: location in ADS to create share object
1368  *
1369  * Returns:
1370  *   -1          : error
1371  *    0          : success
1372  */
1373 int
1374 smb_ads_add_share(smb_ads_handle_t *ah, const char *adsShareName,
1375     const char *unc_name, const char *adsContainer)
1376 {
1377 	LDAPMod *attrs[SMB_ADS_SHARE_NUM_ATTR];
1378 	int j = 0;
1379 	char *share_dn;
1380 	int ret;
1381 	char *unc_names[] = {(char *)unc_name, NULL};
1382 
1383 	if ((share_dn = smb_ads_get_sharedn(adsShareName, adsContainer,
1384 	    ah->domain_dn)) == NULL)
1385 		return (-1);
1386 
1387 	if (smb_ads_alloc_attr(attrs, SMB_ADS_SHARE_NUM_ATTR) != 0) {
1388 		free(share_dn);
1389 		return (-1);
1390 	}
1391 
1392 	attrs[j]->mod_op = LDAP_MOD_ADD;
1393 	attrs[j]->mod_type = "objectClass";
1394 	attrs[j]->mod_values = smb_ads_share_objcls;
1395 
1396 	attrs[++j]->mod_op = LDAP_MOD_ADD;
1397 	attrs[j]->mod_type = "uNCName";
1398 	attrs[j]->mod_values = unc_names;
1399 
1400 	if ((ret = ldap_add_s(ah->ld, share_dn, attrs)) != LDAP_SUCCESS) {
1401 		if (ret == LDAP_NO_SUCH_OBJECT) {
1402 			syslog(LOG_ERR, "Failed to publish share %s in" \
1403 			    " AD.  Container does not exist: %s.\n",
1404 			    adsShareName, share_dn);
1405 
1406 		} else {
1407 			syslog(LOG_ERR, "Failed to publish share %s in" \
1408 			    " AD: %s (%s).\n", adsShareName, share_dn,
1409 			    ldap_err2string(ret));
1410 		}
1411 		smb_ads_free_attr(attrs);
1412 		free(share_dn);
1413 		return (ret);
1414 	}
1415 	free(share_dn);
1416 	smb_ads_free_attr(attrs);
1417 
1418 	return (0);
1419 }
1420 
1421 /*
1422  * smb_ads_del_share
1423  * Call by smb_ads_remove_share to remove share object from ADS.  The container
1424  * location to remove the object needs to specified.  The LDAP synchronous
1425  * delete command is used.
1426  * Parameters:
1427  *   ah          : handle to ADS server
1428  *   adsShareName: name of share object in ADS to be removed
1429  *   adsContainer: location of share object in ADS
1430  * Returns:
1431  *   -1          : error
1432  *    0          : success
1433  */
1434 static int
1435 smb_ads_del_share(smb_ads_handle_t *ah, const char *adsShareName,
1436     const char *adsContainer)
1437 {
1438 	char *share_dn;
1439 	int ret;
1440 
1441 	if ((share_dn = smb_ads_get_sharedn(adsShareName, adsContainer,
1442 	    ah->domain_dn)) == NULL)
1443 		return (-1);
1444 
1445 	if ((ret = ldap_delete_s(ah->ld, share_dn)) != LDAP_SUCCESS) {
1446 		smb_tracef("ldap_delete: %s", ldap_err2string(ret));
1447 		free(share_dn);
1448 		return (-1);
1449 	}
1450 	free(share_dn);
1451 
1452 	return (0);
1453 }
1454 
1455 
1456 /*
1457  * smb_ads_escape_search_filter_chars
1458  *
1459  * This routine will escape the special characters found in a string
1460  * that will later be passed to the ldap search filter.
1461  *
1462  * RFC 1960 - A String Representation of LDAP Search Filters
1463  * 3.  String Search Filter Definition
1464  * If a value must contain one of the characters '*' OR '(' OR ')',
1465  * these characters
1466  * should be escaped by preceding them with the backslash '\' character.
1467  *
1468  * RFC 2252 - LDAP Attribute Syntax Definitions
1469  * a backslash quoting mechanism is used to escape
1470  * the following separator symbol character (such as "'", "$" or "#") if
1471  * it should occur in that string.
1472  */
1473 static int
1474 smb_ads_escape_search_filter_chars(const char *src, char *dst)
1475 {
1476 	int avail = SMB_ADS_MAXBUFLEN - 1; /* reserve a space for NULL char */
1477 
1478 	if (src == NULL || dst == NULL)
1479 		return (-1);
1480 
1481 	while (*src) {
1482 		if (!avail) {
1483 			*dst = 0;
1484 			return (-1);
1485 		}
1486 
1487 		switch (*src) {
1488 		case '\\':
1489 		case '\'':
1490 		case '$':
1491 		case '#':
1492 		case '*':
1493 		case '(':
1494 		case ')':
1495 			*dst++ = '\\';
1496 			avail--;
1497 			/* fall through */
1498 
1499 		default:
1500 			*dst++ = *src++;
1501 			avail--;
1502 		}
1503 	}
1504 
1505 	*dst = 0;
1506 
1507 	return (0);
1508 }
1509 
1510 /*
1511  * smb_ads_lookup_share
1512  * The search filter is set to search for a specific share name in the
1513  * specified ADS container.  The LDSAP synchronous search command is used.
1514  * Parameters:
1515  *   ah          : handle to ADS server
1516  *   adsShareName: name of share object in ADS to be searched
1517  *   adsContainer: location of share object in ADS
1518  * Returns:
1519  *   -1          : error
1520  *    0          : not found
1521  *    1          : found
1522  */
1523 int
1524 smb_ads_lookup_share(smb_ads_handle_t *ah, const char *adsShareName,
1525     const char *adsContainer, char *unc_name)
1526 {
1527 	char *attrs[4], filter[SMB_ADS_MAXBUFLEN];
1528 	char *share_dn;
1529 	int ret;
1530 	LDAPMessage *res;
1531 	char tmpbuf[SMB_ADS_MAXBUFLEN];
1532 
1533 	if (adsShareName == NULL || adsContainer == NULL)
1534 		return (-1);
1535 
1536 	if ((share_dn = smb_ads_get_sharedn(adsShareName, adsContainer,
1537 	    ah->domain_dn)) == NULL)
1538 		return (-1);
1539 
1540 	res = NULL;
1541 	attrs[0] = "cn";
1542 	attrs[1] = "objectClass";
1543 	attrs[2] = "uNCName";
1544 	attrs[3] = NULL;
1545 
1546 	if (smb_ads_escape_search_filter_chars(unc_name, tmpbuf) != 0) {
1547 		free(share_dn);
1548 		return (-1);
1549 	}
1550 
1551 	(void) snprintf(filter, sizeof (filter),
1552 	    "(&(objectClass=volume)(uNCName=%s))", tmpbuf);
1553 
1554 	if ((ret = ldap_search_s(ah->ld, share_dn,
1555 	    LDAP_SCOPE_BASE, filter, attrs, 0, &res)) != LDAP_SUCCESS) {
1556 		if (ret != LDAP_NO_SUCH_OBJECT)
1557 			smb_tracef("%s: ldap_search: %s", share_dn,
1558 			    ldap_err2string(ret));
1559 
1560 		(void) ldap_msgfree(res);
1561 		free(share_dn);
1562 		return (0);
1563 	}
1564 
1565 	(void) free(share_dn);
1566 
1567 	/* no match is found */
1568 	if (ldap_count_entries(ah->ld, res) == 0) {
1569 		(void) ldap_msgfree(res);
1570 		return (0);
1571 	}
1572 
1573 	/* free the search results */
1574 	(void) ldap_msgfree(res);
1575 
1576 	return (1);
1577 }
1578 
1579 /*
1580  * smb_ads_publish_share
1581  * Publish share into ADS.  If a share name already exist in ADS in the same
1582  * container then the existing share object is removed before adding the new
1583  * share object.
1584  * Parameters:
1585  *   ah          : handle return from smb_ads_open
1586  *   adsShareName: name of share to be added to ADS directory
1587  *   shareUNC    : name of share on client, can be NULL to use the same name
1588  *                 as adsShareName
1589  *   adsContainer: location for share to be added in ADS directory, ie
1590  *                   ou=share_folder
1591  *   uncType     : use UNC_HOSTNAME to use hostname for UNC, use UNC_HOSTADDR
1592  *                   to use host ip addr for UNC.
1593  * Returns:
1594  *   -1          : error
1595  *    0          : success
1596  */
1597 int
1598 smb_ads_publish_share(smb_ads_handle_t *ah, const char *adsShareName,
1599     const char *shareUNC, const char *adsContainer, const char *hostname)
1600 {
1601 	int ret;
1602 	char unc_name[SMB_ADS_MAXBUFLEN];
1603 
1604 	if (adsShareName == NULL || adsContainer == NULL)
1605 		return (-1);
1606 
1607 	if (shareUNC == 0 || *shareUNC == 0)
1608 		shareUNC = adsShareName;
1609 
1610 	if (smb_ads_build_unc_name(unc_name, sizeof (unc_name),
1611 	    hostname, shareUNC) < 0)
1612 		return (-1);
1613 
1614 	ret = smb_ads_lookup_share(ah, adsShareName, adsContainer, unc_name);
1615 
1616 	switch (ret) {
1617 	case 1:
1618 		(void) smb_ads_del_share(ah, adsShareName, adsContainer);
1619 		ret = smb_ads_add_share(ah, adsShareName, unc_name,
1620 		    adsContainer);
1621 		break;
1622 
1623 	case 0:
1624 		ret = smb_ads_add_share(ah, adsShareName, unc_name,
1625 		    adsContainer);
1626 		if (ret == LDAP_ALREADY_EXISTS)
1627 			ret = -1;
1628 
1629 		break;
1630 
1631 	case -1:
1632 	default:
1633 		/* return with error code */
1634 		ret = -1;
1635 	}
1636 
1637 	return (ret);
1638 }
1639 
1640 /*
1641  * smb_ads_remove_share
1642  * Remove share from ADS.  A search is done first before explicitly removing
1643  * the share.
1644  * Parameters:
1645  *   ah          : handle return from smb_ads_open
1646  *   adsShareName: name of share to be removed from ADS directory
1647  *   adsContainer: location for share to be removed from ADS directory, ie
1648  *                   ou=share_folder
1649  * Returns:
1650  *   -1          : error
1651  *    0          : success
1652  */
1653 int
1654 smb_ads_remove_share(smb_ads_handle_t *ah, const char *adsShareName,
1655     const char *shareUNC, const char *adsContainer, const char *hostname)
1656 {
1657 	int ret;
1658 	char unc_name[SMB_ADS_MAXBUFLEN];
1659 
1660 	if (adsShareName == NULL || adsContainer == NULL)
1661 		return (-1);
1662 	if (shareUNC == 0 || *shareUNC == 0)
1663 		shareUNC = adsShareName;
1664 
1665 	if (smb_ads_build_unc_name(unc_name, sizeof (unc_name),
1666 	    hostname, shareUNC) < 0)
1667 		return (-1);
1668 
1669 	ret = smb_ads_lookup_share(ah, adsShareName, adsContainer, unc_name);
1670 	if (ret == 0)
1671 		return (0);
1672 	if (ret == -1)
1673 		return (-1);
1674 
1675 	return (smb_ads_del_share(ah, adsShareName, adsContainer));
1676 }
1677 
1678 /*
1679  * smb_ads_get_default_comp_container_dn
1680  *
1681  * Build the distinguished name for the default computer conatiner (i.e. the
1682  * pre-defined Computers container).
1683  */
1684 static void
1685 smb_ads_get_default_comp_container_dn(smb_ads_handle_t *ah, char *buf,
1686     size_t buflen)
1687 {
1688 	(void) snprintf(buf, buflen, "cn=%s,%s", SMB_ADS_COMPUTERS_CN,
1689 	    ah->domain_dn);
1690 }
1691 
1692 /*
1693  * smb_ads_get_default_comp_dn
1694  *
1695  * Build the distinguished name for this system.
1696  */
1697 static void
1698 smb_ads_get_default_comp_dn(smb_ads_handle_t *ah, char *buf, size_t buflen)
1699 {
1700 	char nbname[NETBIOS_NAME_SZ];
1701 	char container_dn[SMB_ADS_DN_MAX];
1702 
1703 	(void) smb_getnetbiosname(nbname, sizeof (nbname));
1704 	smb_ads_get_default_comp_container_dn(ah, container_dn, SMB_ADS_DN_MAX);
1705 	(void) snprintf(buf, buflen, "cn=%s,%s", nbname, container_dn);
1706 }
1707 
1708 /*
1709  * smb_ads_add_computer
1710  *
1711  * Returns 0 upon success. Otherwise, returns -1.
1712  */
1713 static int
1714 smb_ads_add_computer(smb_ads_handle_t *ah, int dclevel, char *dn)
1715 {
1716 	return (smb_ads_computer_op(ah, LDAP_MOD_ADD, dclevel, dn));
1717 }
1718 
1719 /*
1720  * smb_ads_modify_computer
1721  *
1722  * Returns 0 upon success. Otherwise, returns -1.
1723  */
1724 static int
1725 smb_ads_modify_computer(smb_ads_handle_t *ah, int dclevel, char *dn)
1726 {
1727 	return (smb_ads_computer_op(ah, LDAP_MOD_REPLACE, dclevel, dn));
1728 }
1729 
1730 /*
1731  * smb_ads_get_dc_level
1732  *
1733  * Returns the functional level of the DC upon success.
1734  * Otherwise, -1 is returned.
1735  */
1736 static int
1737 smb_ads_get_dc_level(smb_ads_handle_t *ah)
1738 {
1739 	LDAPMessage *res, *entry;
1740 	char *attr[2];
1741 	char **vals;
1742 	int rc = -1;
1743 
1744 	res = NULL;
1745 	attr[0] = SMB_ADS_ATTR_DCLEVEL;
1746 	attr[1] = NULL;
1747 	if (ldap_search_s(ah->ld, "", LDAP_SCOPE_BASE, NULL, attr,
1748 	    0, &res) != LDAP_SUCCESS) {
1749 		(void) ldap_msgfree(res);
1750 		return (-1);
1751 	}
1752 
1753 	/* no match for the specified attribute is found */
1754 	if (ldap_count_entries(ah->ld, res) == 0) {
1755 		(void) ldap_msgfree(res);
1756 		return (-1);
1757 	}
1758 
1759 	entry = ldap_first_entry(ah->ld, res);
1760 	if (entry) {
1761 		if ((vals = ldap_get_values(ah->ld, entry,
1762 		    SMB_ADS_ATTR_DCLEVEL)) == NULL) {
1763 			/*
1764 			 * Observed the values aren't populated
1765 			 * by the Windows 2000 server.
1766 			 */
1767 			(void) ldap_msgfree(res);
1768 			return (SMB_ADS_DCLEVEL_W2K);
1769 		}
1770 
1771 		if (vals[0] != NULL)
1772 			rc = atoi(vals[0]);
1773 
1774 		ldap_value_free(vals);
1775 	}
1776 
1777 	(void) ldap_msgfree(res);
1778 	return (rc);
1779 }
1780 
1781 /*
1782  * The fully-qualified hostname returned by this function is often used for
1783  * constructing service principal name.  Return the fully-qualified hostname
1784  * in lower case for RFC 4120 section 6.2.1 conformance.
1785  */
1786 static int
1787 smb_ads_getfqhostname(smb_ads_handle_t *ah, char *fqhost, int len)
1788 {
1789 	if (smb_gethostname(fqhost, len, SMB_CASE_LOWER) != 0)
1790 		return (-1);
1791 
1792 	(void) snprintf(fqhost, len, "%s.%s", fqhost,
1793 	    ah->domain);
1794 
1795 	return (0);
1796 }
1797 
1798 static int
1799 smb_ads_computer_op(smb_ads_handle_t *ah, int op, int dclevel, char *dn)
1800 {
1801 	LDAPMod *attrs[SMB_ADS_COMPUTER_NUM_ATTR];
1802 	char *sam_val[2], *usr_val[2];
1803 	char *spn_set[SMBKRB5_SPN_IDX_MAX + 1], *ctl_val[2], *fqh_val[2];
1804 	char *encrypt_val[2];
1805 	int j = -1;
1806 	int ret, usrctl_flags = 0;
1807 	char sam_acct[SMB_SAMACCT_MAXLEN];
1808 	char fqhost[MAXHOSTNAMELEN];
1809 	char *user_principal;
1810 	char usrctl_buf[16];
1811 	char encrypt_buf[16];
1812 	int max;
1813 
1814 	if (smb_getsamaccount(sam_acct, sizeof (sam_acct)) != 0)
1815 		return (-1);
1816 
1817 	if (smb_ads_getfqhostname(ah, fqhost, MAXHOSTNAMELEN))
1818 		return (-1);
1819 
1820 	if (smb_ads_get_spnset(fqhost, spn_set) != 0)
1821 		return (-1);
1822 
1823 	user_principal = smb_krb5_get_upn(spn_set[SMBKRB5_SPN_IDX_HOST],
1824 	    ah->domain);
1825 
1826 	if (user_principal == NULL) {
1827 		smb_ads_free_spnset(spn_set);
1828 		return (-1);
1829 	}
1830 
1831 	max = (SMB_ADS_COMPUTER_NUM_ATTR - ((op != LDAP_MOD_ADD) ? 1 : 0))
1832 	    - (dclevel >= SMB_ADS_DCLEVEL_W2K8 ?  0 : 1);
1833 
1834 	if (smb_ads_alloc_attr(attrs, max) != 0) {
1835 		free(user_principal);
1836 		smb_ads_free_spnset(spn_set);
1837 		return (-1);
1838 	}
1839 
1840 	/* objectClass attribute is not modifiable. */
1841 	if (op == LDAP_MOD_ADD) {
1842 		attrs[++j]->mod_op = op;
1843 		attrs[j]->mod_type = "objectClass";
1844 		attrs[j]->mod_values = smb_ads_computer_objcls;
1845 	}
1846 
1847 	attrs[++j]->mod_op = op;
1848 	attrs[j]->mod_type = SMB_ADS_ATTR_SAMACCT;
1849 	sam_val[0] = sam_acct;
1850 	sam_val[1] = 0;
1851 	attrs[j]->mod_values = sam_val;
1852 
1853 	attrs[++j]->mod_op = op;
1854 	attrs[j]->mod_type = SMB_ADS_ATTR_UPN;
1855 	usr_val[0] = user_principal;
1856 	usr_val[1] = 0;
1857 	attrs[j]->mod_values = usr_val;
1858 
1859 	attrs[++j]->mod_op = op;
1860 	attrs[j]->mod_type = SMB_ADS_ATTR_SPN;
1861 	attrs[j]->mod_values = spn_set;
1862 
1863 	attrs[++j]->mod_op = op;
1864 	attrs[j]->mod_type = SMB_ADS_ATTR_CTL;
1865 	usrctl_flags |= (SMB_ADS_USER_ACCT_CTL_WKSTATION_TRUST_ACCT |
1866 	    SMB_ADS_USER_ACCT_CTL_PASSWD_NOTREQD |
1867 	    SMB_ADS_USER_ACCT_CTL_ACCOUNTDISABLE);
1868 	(void) snprintf(usrctl_buf, sizeof (usrctl_buf), "%d", usrctl_flags);
1869 	ctl_val[0] = usrctl_buf;
1870 	ctl_val[1] = 0;
1871 	attrs[j]->mod_values = ctl_val;
1872 
1873 	attrs[++j]->mod_op = op;
1874 	attrs[j]->mod_type = SMB_ADS_ATTR_DNSHOST;
1875 	fqh_val[0] = fqhost;
1876 	fqh_val[1] = 0;
1877 	attrs[j]->mod_values = fqh_val;
1878 
1879 	/* enctypes support starting in Windows Server 2008 */
1880 	if (dclevel > SMB_ADS_DCLEVEL_W2K3) {
1881 		attrs[++j]->mod_op = op;
1882 		attrs[j]->mod_type = SMB_ADS_ATTR_ENCTYPES;
1883 		(void) snprintf(encrypt_buf, sizeof (encrypt_buf), "%d",
1884 		    SMB_ADS_ENC_AES256 + SMB_ADS_ENC_AES128 + SMB_ADS_ENC_RC4 +
1885 		    SMB_ADS_ENC_DES_MD5 + SMB_ADS_ENC_DES_CRC);
1886 		encrypt_val[0] = encrypt_buf;
1887 		encrypt_val[1] = 0;
1888 		attrs[j]->mod_values = encrypt_val;
1889 	}
1890 
1891 	switch (op) {
1892 	case LDAP_MOD_ADD:
1893 		if ((ret = ldap_add_s(ah->ld, dn, attrs)) != LDAP_SUCCESS) {
1894 			syslog(LOG_NOTICE, "ldap_add: %s",
1895 			    ldap_err2string(ret));
1896 			ret = -1;
1897 		}
1898 		break;
1899 
1900 	case LDAP_MOD_REPLACE:
1901 		if ((ret = ldap_modify_s(ah->ld, dn, attrs)) != LDAP_SUCCESS) {
1902 			syslog(LOG_NOTICE, "ldap_modify: %s",
1903 			    ldap_err2string(ret));
1904 			ret = -1;
1905 		}
1906 		break;
1907 
1908 	default:
1909 		ret = -1;
1910 
1911 	}
1912 
1913 	smb_ads_free_attr(attrs);
1914 	free(user_principal);
1915 	smb_ads_free_spnset(spn_set);
1916 
1917 	return (ret);
1918 }
1919 
1920 /*
1921  * Delete an ADS computer account.
1922  */
1923 static void
1924 smb_ads_del_computer(smb_ads_handle_t *ah, char *dn)
1925 {
1926 	int rc;
1927 
1928 	if ((rc = ldap_delete_s(ah->ld, dn)) != LDAP_SUCCESS)
1929 		smb_tracef("ldap_delete: %s", ldap_err2string(rc));
1930 }
1931 
1932 /*
1933  * Gets the value of the given attribute.
1934  */
1935 static smb_ads_qstat_t
1936 smb_ads_getattr(LDAP *ld, LDAPMessage *entry, smb_ads_avpair_t *avpair)
1937 {
1938 	char **vals;
1939 	smb_ads_qstat_t rc = SMB_ADS_STAT_FOUND;
1940 
1941 	assert(avpair);
1942 	avpair->avp_val = NULL;
1943 	vals = ldap_get_values(ld, entry, avpair->avp_attr);
1944 	if (!vals)
1945 		return (SMB_ADS_STAT_NOT_FOUND);
1946 
1947 	if (!vals[0]) {
1948 		ldap_value_free(vals);
1949 		return (SMB_ADS_STAT_NOT_FOUND);
1950 	}
1951 
1952 	avpair->avp_val = strdup(vals[0]);
1953 	if (!avpair->avp_val)
1954 		rc = SMB_ADS_STAT_ERR;
1955 
1956 	ldap_value_free(vals);
1957 	return (rc);
1958 }
1959 
1960 /*
1961  * Process query's result.
1962  */
1963 static smb_ads_qstat_t
1964 smb_ads_get_qstat(smb_ads_handle_t *ah, LDAPMessage *res,
1965     smb_ads_avpair_t *avpair)
1966 {
1967 	char fqhost[MAXHOSTNAMELEN];
1968 	smb_ads_avpair_t dnshost_avp;
1969 	smb_ads_qstat_t rc = SMB_ADS_STAT_FOUND;
1970 	LDAPMessage *entry;
1971 
1972 	if (smb_ads_getfqhostname(ah, fqhost, MAXHOSTNAMELEN))
1973 		return (SMB_ADS_STAT_ERR);
1974 
1975 	if (ldap_count_entries(ah->ld, res) == 0)
1976 		return (SMB_ADS_STAT_NOT_FOUND);
1977 
1978 	if ((entry = ldap_first_entry(ah->ld, res)) == NULL)
1979 		return (SMB_ADS_STAT_ERR);
1980 
1981 	dnshost_avp.avp_attr = SMB_ADS_ATTR_DNSHOST;
1982 	rc = smb_ads_getattr(ah->ld, entry, &dnshost_avp);
1983 
1984 	switch (rc) {
1985 	case SMB_ADS_STAT_FOUND:
1986 		/*
1987 		 * Returns SMB_ADS_STAT_DUP to avoid overwriting
1988 		 * the computer account of another system whose
1989 		 * NetBIOS name collides with that of the current
1990 		 * system.
1991 		 */
1992 		if (strcasecmp(dnshost_avp.avp_val, fqhost))
1993 			rc = SMB_ADS_STAT_DUP;
1994 
1995 		free(dnshost_avp.avp_val);
1996 		break;
1997 
1998 	case SMB_ADS_STAT_NOT_FOUND:
1999 		/*
2000 		 * Pre-created computer account doesn't have
2001 		 * the dNSHostname attribute. It's been observed
2002 		 * that the dNSHostname attribute is only set after
2003 		 * a successful domain join.
2004 		 * Returns SMB_ADS_STAT_FOUND as the account is
2005 		 * pre-created for the current system.
2006 		 */
2007 		rc = SMB_ADS_STAT_FOUND;
2008 		break;
2009 
2010 	default:
2011 		break;
2012 	}
2013 
2014 	if (rc != SMB_ADS_STAT_FOUND)
2015 		return (rc);
2016 
2017 	if (avpair)
2018 		rc = smb_ads_getattr(ah->ld, entry, avpair);
2019 
2020 	return (rc);
2021 
2022 }
2023 
2024 /*
2025  * smb_ads_lookup_computer_n_attr
2026  *
2027  * If avpair is NULL, checks the status of the specified computer account.
2028  * Otherwise, looks up the value of the specified computer account's attribute.
2029  * If found, the value field of the avpair will be allocated and set. The
2030  * caller should free the allocated buffer.
2031  *
2032  * Return:
2033  *  SMB_ADS_STAT_FOUND  - if both the computer and the specified attribute is
2034  *                        found.
2035  *  SMB_ADS_STAT_NOT_FOUND - if either the computer or the specified attribute
2036  *                           is not found.
2037  *  SMB_ADS_STAT_DUP - if the computer account is already used by other systems
2038  *                     in the AD. This could happen if the hostname of multiple
2039  *                     systems resolved to the same NetBIOS name.
2040  *  SMB_ADS_STAT_ERR - any failure.
2041  */
2042 static smb_ads_qstat_t
2043 smb_ads_lookup_computer_n_attr(smb_ads_handle_t *ah, smb_ads_avpair_t *avpair,
2044     int scope, char *dn)
2045 {
2046 	char *attrs[3], filter[SMB_ADS_MAXBUFLEN];
2047 	LDAPMessage *res;
2048 	char sam_acct[SMB_SAMACCT_MAXLEN], sam_acct2[SMB_SAMACCT_MAXLEN];
2049 	smb_ads_qstat_t rc;
2050 
2051 	if (smb_getsamaccount(sam_acct, sizeof (sam_acct)) != 0)
2052 		return (SMB_ADS_STAT_ERR);
2053 
2054 	res = NULL;
2055 	attrs[0] = SMB_ADS_ATTR_DNSHOST;
2056 	attrs[1] = NULL;
2057 	attrs[2] = NULL;
2058 
2059 	if (avpair) {
2060 		if (!avpair->avp_attr)
2061 			return (SMB_ADS_STAT_ERR);
2062 
2063 		attrs[1] = avpair->avp_attr;
2064 	}
2065 
2066 	if (smb_ads_escape_search_filter_chars(sam_acct, sam_acct2) != 0)
2067 		return (SMB_ADS_STAT_ERR);
2068 
2069 	(void) snprintf(filter, sizeof (filter),
2070 	    "(&(objectClass=computer)(%s=%s))", SMB_ADS_ATTR_SAMACCT,
2071 	    sam_acct2);
2072 
2073 	if (ldap_search_s(ah->ld, dn, scope, filter, attrs, 0,
2074 	    &res) != LDAP_SUCCESS) {
2075 		(void) ldap_msgfree(res);
2076 		return (SMB_ADS_STAT_NOT_FOUND);
2077 	}
2078 
2079 	rc = smb_ads_get_qstat(ah, res, avpair);
2080 	/* free the search results */
2081 	(void) ldap_msgfree(res);
2082 	return (rc);
2083 }
2084 
2085 /*
2086  * smb_ads_find_computer
2087  *
2088  * Starts by searching for the system's AD computer object in the default
2089  * container (i.e. cn=Computers).  If not found, searches the entire directory.
2090  * If found, 'dn' will be set to the distinguished name of the system's AD
2091  * computer object.
2092  */
2093 static smb_ads_qstat_t
2094 smb_ads_find_computer(smb_ads_handle_t *ah, char *dn)
2095 {
2096 	smb_ads_qstat_t stat;
2097 	smb_ads_avpair_t avpair;
2098 
2099 	avpair.avp_attr = SMB_ADS_ATTR_DN;
2100 	smb_ads_get_default_comp_container_dn(ah, dn, SMB_ADS_DN_MAX);
2101 	stat = smb_ads_lookup_computer_n_attr(ah, &avpair, LDAP_SCOPE_ONELEVEL,
2102 	    dn);
2103 
2104 	if (stat == SMB_ADS_STAT_NOT_FOUND) {
2105 		(void) strlcpy(dn, ah->domain_dn, SMB_ADS_DN_MAX);
2106 		stat = smb_ads_lookup_computer_n_attr(ah, &avpair,
2107 		    LDAP_SCOPE_SUBTREE, dn);
2108 	}
2109 
2110 	if (stat == SMB_ADS_STAT_FOUND) {
2111 		(void) strlcpy(dn, avpair.avp_val, SMB_ADS_DN_MAX);
2112 		free(avpair.avp_val);
2113 	}
2114 
2115 	return (stat);
2116 }
2117 
2118 /*
2119  * smb_ads_update_computer_cntrl_attr
2120  *
2121  * Modify the user account control attribute of an existing computer
2122  * object on AD.
2123  *
2124  * Returns LDAP error code.
2125  */
2126 static int
2127 smb_ads_update_computer_cntrl_attr(smb_ads_handle_t *ah, int flags, char *dn)
2128 {
2129 	LDAPMod *attrs[2];
2130 	char *ctl_val[2];
2131 	int ret = 0;
2132 	char usrctl_buf[16];
2133 
2134 	if (smb_ads_alloc_attr(attrs, sizeof (attrs) / sizeof (LDAPMod *)) != 0)
2135 		return (LDAP_NO_MEMORY);
2136 
2137 	attrs[0]->mod_op = LDAP_MOD_REPLACE;
2138 	attrs[0]->mod_type = SMB_ADS_ATTR_CTL;
2139 
2140 	(void) snprintf(usrctl_buf, sizeof (usrctl_buf), "%d", flags);
2141 	ctl_val[0] = usrctl_buf;
2142 	ctl_val[1] = 0;
2143 	attrs[0]->mod_values = ctl_val;
2144 	if ((ret = ldap_modify_s(ah->ld, dn, attrs)) != LDAP_SUCCESS) {
2145 		syslog(LOG_NOTICE, "ldap_modify: %s", ldap_err2string(ret));
2146 	}
2147 
2148 	smb_ads_free_attr(attrs);
2149 	return (ret);
2150 }
2151 
2152 /*
2153  * smb_ads_lookup_computer_attr_kvno
2154  *
2155  * Lookup the value of the Kerberos version number attribute of the computer
2156  * account.
2157  */
2158 static krb5_kvno
2159 smb_ads_lookup_computer_attr_kvno(smb_ads_handle_t *ah, char *dn)
2160 {
2161 	smb_ads_avpair_t avpair;
2162 	int kvno = 1;
2163 
2164 	avpair.avp_attr = SMB_ADS_ATTR_KVNO;
2165 	if (smb_ads_lookup_computer_n_attr(ah, &avpair,
2166 	    LDAP_SCOPE_BASE, dn) == SMB_ADS_STAT_FOUND) {
2167 		kvno = atoi(avpair.avp_val);
2168 		free(avpair.avp_val);
2169 	}
2170 
2171 	return (kvno);
2172 }
2173 
2174 static int
2175 smb_ads_gen_machine_passwd(char *machine_passwd, size_t bufsz)
2176 {
2177 	int i;
2178 	size_t pwdlen;
2179 	uint8_t *random_bytes;
2180 
2181 	errno = 0;
2182 	if (machine_passwd == NULL || bufsz == 0) {
2183 		errno = EINVAL;
2184 		return (-1);
2185 	}
2186 
2187 	pwdlen = bufsz - 1;
2188 	random_bytes = calloc(1, pwdlen);
2189 	if (random_bytes == NULL)
2190 		return (-1);
2191 
2192 	if (pkcs11_get_random(random_bytes, pwdlen) != 0) {
2193 		free(random_bytes);
2194 		return (-1);
2195 	}
2196 
2197 	for (i = 0; i < pwdlen; i++)
2198 		machine_passwd[i] = (random_bytes[i] % SMB_ADS_PWD_CHAR_NUM) +
2199 		    SMB_ADS_PWD_CHAR_START;
2200 
2201 	machine_passwd[pwdlen] = 0;
2202 	bzero(random_bytes, pwdlen);
2203 	free(random_bytes);
2204 	return (0);
2205 }
2206 
2207 /*
2208  * smb_ads_join
2209  *
2210  * Besides the NT-4 style domain join (using MS-RPC), CIFS server also
2211  * provides the domain join using Kerberos Authentication, Keberos
2212  * Change & Set password, and LDAP protocols. Basically, AD join
2213  * operation would require the following tickets to be acquired for the
2214  * the user account that is provided for the domain join.
2215  *
2216  * 1) a Keberos TGT ticket,
2217  * 2) a ldap service ticket, and
2218  * 3) kadmin/changpw service ticket
2219  *
2220  * The ADS client first sends a ldap search request to find out whether
2221  * or not the workstation trust account already exists in the Active Directory.
2222  * The existing computer object for this workstation will be removed and
2223  * a new one will be added. The machine account password is randomly
2224  * generated and set for the newly created computer object using KPASSWD
2225  * protocol (See RFC 3244). Once the password is set, our ADS client
2226  * finalizes the machine account by modifying the user acount control
2227  * attribute of the computer object. Kerberos keys derived from the machine
2228  * account password will be stored locally in /etc/krb5/krb5.keytab file.
2229  * That would be needed while acquiring Kerberos TGT ticket for the host
2230  * principal after the domain join operation.
2231  */
2232 smb_adjoin_status_t
2233 smb_ads_join(char *domain, char *user, char *usr_passwd, char *machine_passwd,
2234     size_t len)
2235 {
2236 	smb_ads_handle_t *ah = NULL;
2237 	krb5_context ctx = NULL;
2238 	krb5_principal krb5princs[SMBKRB5_SPN_IDX_MAX];
2239 	krb5_kvno kvno;
2240 	boolean_t des_only, delete = B_TRUE;
2241 	smb_adjoin_status_t rc = SMB_ADJOIN_SUCCESS;
2242 	boolean_t new_acct;
2243 	int dclevel, num, usrctl_flags = 0;
2244 	smb_ads_qstat_t qstat;
2245 	char dn[SMB_ADS_DN_MAX];
2246 	char *tmpfile;
2247 
2248 	/*
2249 	 * Call library functions that can be used to get
2250 	 * the list of encryption algorithms available on the system.
2251 	 * (similar to what 'encrypt -l' CLI does). For now,
2252 	 * unless someone has modified the configuration of the
2253 	 * cryptographic framework (very unlikely), the following is the
2254 	 * list of algorithms available on any system running Nevada
2255 	 * by default.
2256 	 */
2257 	krb5_enctype w2k8enctypes[] = {ENCTYPE_AES256_CTS_HMAC_SHA1_96,
2258 	    ENCTYPE_AES128_CTS_HMAC_SHA1_96, ENCTYPE_ARCFOUR_HMAC,
2259 	    ENCTYPE_DES_CBC_CRC, ENCTYPE_DES_CBC_MD5,
2260 	};
2261 
2262 	krb5_enctype pre_w2k8enctypes[] = {ENCTYPE_ARCFOUR_HMAC,
2263 	    ENCTYPE_DES_CBC_CRC, ENCTYPE_DES_CBC_MD5,
2264 	};
2265 
2266 	krb5_enctype *encptr;
2267 
2268 	if ((ah = smb_ads_open_main(domain, user, usr_passwd)) == NULL) {
2269 		smb_ccache_remove(SMB_CCACHE_PATH);
2270 		return (SMB_ADJOIN_ERR_GET_HANDLE);
2271 	}
2272 
2273 	if (smb_ads_gen_machine_passwd(machine_passwd, len) != 0) {
2274 		syslog(LOG_NOTICE, "machine password generation: %m");
2275 		smb_ads_close(ah);
2276 		smb_ccache_remove(SMB_CCACHE_PATH);
2277 		return (SMB_ADJOIN_ERR_GEN_PWD);
2278 	}
2279 
2280 	if ((dclevel = smb_ads_get_dc_level(ah)) == -1) {
2281 		smb_ads_close(ah);
2282 		smb_ccache_remove(SMB_CCACHE_PATH);
2283 		return (SMB_ADJOIN_ERR_GET_DCLEVEL);
2284 	}
2285 
2286 	qstat = smb_ads_find_computer(ah, dn);
2287 	switch (qstat) {
2288 	case SMB_ADS_STAT_FOUND:
2289 		new_acct = B_FALSE;
2290 		if (smb_ads_modify_computer(ah, dclevel, dn) != 0) {
2291 			smb_ads_close(ah);
2292 			smb_ccache_remove(SMB_CCACHE_PATH);
2293 			return (SMB_ADJOIN_ERR_MOD_TRUST_ACCT);
2294 		}
2295 		break;
2296 
2297 	case SMB_ADS_STAT_NOT_FOUND:
2298 		new_acct = B_TRUE;
2299 		smb_ads_get_default_comp_dn(ah, dn, SMB_ADS_DN_MAX);
2300 		if (smb_ads_add_computer(ah, dclevel, dn) != 0) {
2301 			smb_ads_close(ah);
2302 			smb_ccache_remove(SMB_CCACHE_PATH);
2303 			return (SMB_ADJOIN_ERR_ADD_TRUST_ACCT);
2304 		}
2305 		break;
2306 
2307 	default:
2308 		if (qstat == SMB_ADS_STAT_DUP)
2309 			rc = SMB_ADJOIN_ERR_DUP_TRUST_ACCT;
2310 		else
2311 			rc = SMB_ADJOIN_ERR_TRUST_ACCT;
2312 		smb_ads_close(ah);
2313 		smb_ccache_remove(SMB_CCACHE_PATH);
2314 		return (rc);
2315 	}
2316 
2317 	des_only = B_FALSE;
2318 
2319 	if (smb_krb5_ctx_init(&ctx) != 0) {
2320 		rc = SMB_ADJOIN_ERR_INIT_KRB_CTX;
2321 		goto adjoin_cleanup;
2322 	}
2323 
2324 	if (smb_krb5_get_principals(ah->domain, ctx, krb5princs) != 0) {
2325 		rc = SMB_ADJOIN_ERR_GET_SPNS;
2326 		goto adjoin_cleanup;
2327 	}
2328 
2329 	if (smb_krb5_setpwd(ctx, krb5princs[SMBKRB5_SPN_IDX_HOST],
2330 	    machine_passwd) != 0) {
2331 		rc = SMB_ADJOIN_ERR_KSETPWD;
2332 		goto adjoin_cleanup;
2333 	}
2334 
2335 	kvno = smb_ads_lookup_computer_attr_kvno(ah, dn);
2336 
2337 	/*
2338 	 * Only members of Domain Admins and Enterprise Admins can set
2339 	 * the TRUSTED_FOR_DELEGATION userAccountControl flag.
2340 	 */
2341 	if (smb_ads_update_computer_cntrl_attr(ah,
2342 	    SMB_ADS_USER_ACCT_CTL_WKSTATION_TRUST_ACCT |
2343 	    SMB_ADS_USER_ACCT_CTL_TRUSTED_FOR_DELEGATION, dn)
2344 	    == LDAP_INSUFFICIENT_ACCESS) {
2345 		usrctl_flags |= (SMB_ADS_USER_ACCT_CTL_WKSTATION_TRUST_ACCT |
2346 		    SMB_ADS_USER_ACCT_CTL_DONT_EXPIRE_PASSWD);
2347 
2348 		syslog(LOG_NOTICE, "Unable to set the "
2349 		    "TRUSTED_FOR_DELEGATION userAccountControl flag on "
2350 		    "the machine account in Active Directory.  Please refer "
2351 		    "to the Troubleshooting guide for more information.");
2352 
2353 	} else {
2354 		usrctl_flags |= (SMB_ADS_USER_ACCT_CTL_WKSTATION_TRUST_ACCT |
2355 		    SMB_ADS_USER_ACCT_CTL_TRUSTED_FOR_DELEGATION |
2356 		    SMB_ADS_USER_ACCT_CTL_DONT_EXPIRE_PASSWD);
2357 	}
2358 
2359 	if (des_only)
2360 		usrctl_flags |= SMB_ADS_USER_ACCT_CTL_USE_DES_KEY_ONLY;
2361 
2362 	if (smb_ads_update_computer_cntrl_attr(ah, usrctl_flags, dn)
2363 	    != 0) {
2364 		rc = SMB_ADJOIN_ERR_UPDATE_CNTRL_ATTR;
2365 		goto adjoin_cleanup;
2366 	}
2367 
2368 	if (dclevel >= SMB_ADS_DCLEVEL_W2K8) {
2369 		num = sizeof (w2k8enctypes) / sizeof (krb5_enctype);
2370 		encptr = w2k8enctypes;
2371 	} else {
2372 		num = sizeof (pre_w2k8enctypes) / sizeof (krb5_enctype);
2373 		encptr = pre_w2k8enctypes;
2374 	}
2375 
2376 	tmpfile = mktemp(SMBNS_KRB5_KEYTAB_TMP);
2377 	if (tmpfile == NULL)
2378 		tmpfile = SMBNS_KRB5_KEYTAB_TMP;
2379 
2380 	if (smb_krb5_add_keytab_entries(ctx, krb5princs, tmpfile,
2381 	    kvno, machine_passwd, encptr, num) != 0) {
2382 		rc = SMB_ADJOIN_ERR_WRITE_KEYTAB;
2383 		goto adjoin_cleanup;
2384 	}
2385 
2386 	delete = B_FALSE;
2387 adjoin_cleanup:
2388 	if (new_acct && delete)
2389 		smb_ads_del_computer(ah, dn);
2390 
2391 	if (rc != SMB_ADJOIN_ERR_INIT_KRB_CTX) {
2392 		if (rc != SMB_ADJOIN_ERR_GET_SPNS)
2393 			smb_krb5_free_principals(ctx, krb5princs,
2394 			    SMBKRB5_SPN_IDX_MAX);
2395 		smb_krb5_ctx_fini(ctx);
2396 	}
2397 
2398 	/* commit keytab file */
2399 	if (rc == SMB_ADJOIN_SUCCESS) {
2400 		if (rename(tmpfile, SMBNS_KRB5_KEYTAB) != 0) {
2401 			(void) unlink(tmpfile);
2402 			rc = SMB_ADJOIN_ERR_COMMIT_KEYTAB;
2403 		} else {
2404 			/* Set IDMAP config */
2405 			if (smb_config_set_idmap_domain(ah->domain) != 0) {
2406 				rc = SMB_ADJOIN_ERR_IDMAP_SET_DOMAIN;
2407 			} else {
2408 
2409 				/* Refresh IDMAP service */
2410 				if (smb_config_refresh_idmap() != 0)
2411 					rc = SMB_ADJOIN_ERR_IDMAP_REFRESH;
2412 			}
2413 		}
2414 	} else {
2415 		(void) unlink(tmpfile);
2416 	}
2417 
2418 	smb_ads_close(ah);
2419 	smb_ccache_remove(SMB_CCACHE_PATH);
2420 	return (rc);
2421 }
2422 
2423 /*
2424  * smb_ads_join_errmsg
2425  *
2426  * Display error message for the specific adjoin error code.
2427  */
2428 void
2429 smb_ads_join_errmsg(smb_adjoin_status_t status)
2430 {
2431 	int i;
2432 	struct xlate_table {
2433 		smb_adjoin_status_t status;
2434 		char *msg;
2435 	} adjoin_table[] = {
2436 		{ SMB_ADJOIN_ERR_GET_HANDLE, "Failed to connect to an "
2437 		    "Active Directory server." },
2438 		{ SMB_ADJOIN_ERR_GEN_PWD, "Failed to generate machine "
2439 		    "password." },
2440 		{ SMB_ADJOIN_ERR_GET_DCLEVEL, "Unknown functional level of "
2441 		    "the domain controller. The rootDSE attribute named "
2442 		    "\"domainControllerFunctionality\" is missing from the "
2443 		    "Active Directory." },
2444 		{ SMB_ADJOIN_ERR_ADD_TRUST_ACCT, "Failed to create the "
2445 		    "workstation trust account." },
2446 		{ SMB_ADJOIN_ERR_MOD_TRUST_ACCT, "Failed to modify the "
2447 		    "workstation trust account." },
2448 		{ SMB_ADJOIN_ERR_DUP_TRUST_ACCT, "Failed to create the "
2449 		    "workstation trust account because its name is already "
2450 		    "in use." },
2451 		{ SMB_ADJOIN_ERR_TRUST_ACCT, "Error in querying the "
2452 		    "workstation trust account" },
2453 		{ SMB_ADJOIN_ERR_INIT_KRB_CTX, "Failed to initialize Kerberos "
2454 		    "context." },
2455 		{ SMB_ADJOIN_ERR_GET_SPNS, "Failed to get Kerberos "
2456 		    "principals." },
2457 		{ SMB_ADJOIN_ERR_KSETPWD, "Failed to set machine password." },
2458 		{ SMB_ADJOIN_ERR_UPDATE_CNTRL_ATTR,  "Failed to modify "
2459 		    "userAccountControl attribute of the workstation trust "
2460 		    "account." },
2461 		{ SMB_ADJOIN_ERR_WRITE_KEYTAB, "Error in writing to local "
2462 		    "keytab file (i.e /etc/krb5/krb5.keytab)." },
2463 		{ SMB_ADJOIN_ERR_IDMAP_SET_DOMAIN, "Failed to update idmap "
2464 		    "configuration." },
2465 		{ SMB_ADJOIN_ERR_IDMAP_REFRESH, "Failed to refresh idmap "
2466 		    "service." },
2467 		{ SMB_ADJOIN_ERR_COMMIT_KEYTAB, "Failed to commit changes to "
2468 		    "local keytab file (i.e. /etc/krb5/krb5.keytab)." }
2469 	};
2470 
2471 	for (i = 0; i < sizeof (adjoin_table) / sizeof (adjoin_table[0]); i++) {
2472 		if (adjoin_table[i].status == status)
2473 			syslog(LOG_NOTICE, "%s", adjoin_table[i].msg);
2474 	}
2475 }
2476 
2477 /*
2478  * smb_ads_match_pdc
2479  *
2480  * Returns B_TRUE if the given host's IP address matches the preferred DC's
2481  * IP address. Otherwise, returns B_FALSE.
2482  */
2483 static boolean_t
2484 smb_ads_match_pdc(smb_ads_host_info_t *host)
2485 {
2486 	boolean_t match = B_FALSE;
2487 
2488 	if (!host)
2489 		return (match);
2490 
2491 	(void) mutex_lock(&smb_ads_cfg.c_mtx);
2492 	if (smb_inet_equal(&host->ipaddr, &smb_ads_cfg.c_pdc))
2493 		match = B_TRUE;
2494 	(void) mutex_unlock(&smb_ads_cfg.c_mtx);
2495 
2496 	return (match);
2497 }
2498 
2499 /*
2500  * smb_ads_select_dcfromsubnet
2501  *
2502  * This method walks the list of DCs and returns the first DC record that
2503  * responds to ldap ping and is in the same subnet as the host.
2504  *
2505  * Returns a pointer to the found DC record.
2506  * Returns NULL, on error or if no DC record is found.
2507  */
2508 static smb_ads_host_info_t *
2509 smb_ads_select_dcfromsubnet(smb_ads_host_list_t *hlist)
2510 {
2511 	smb_ads_host_info_t *hentry;
2512 	smb_nic_t *lnic;
2513 	smb_niciter_t ni;
2514 	size_t cnt;
2515 	int i;
2516 
2517 	if (smb_nic_getfirst(&ni) != SMB_NIC_SUCCESS)
2518 		return (NULL);
2519 	do {
2520 		lnic = &ni.ni_nic;
2521 		cnt = hlist->ah_cnt;
2522 
2523 		for (i = 0; i < cnt; i++) {
2524 			hentry = &hlist->ah_list[i];
2525 			if ((hentry->ipaddr.a_family == AF_INET) &&
2526 			    (lnic->nic_ip.a_family == AF_INET)) {
2527 				if ((hentry->ipaddr.a_ipv4 &
2528 				    lnic->nic_mask) ==
2529 				    (lnic->nic_ip.a_ipv4 &
2530 				    lnic->nic_mask))
2531 					if (smb_ads_ldap_ping(hentry) == 0)
2532 						return (hentry);
2533 			}
2534 		}
2535 	} while (smb_nic_getnext(&ni) == SMB_NIC_SUCCESS);
2536 
2537 	return (NULL);
2538 }
2539 
2540 /*
2541  * smb_ads_select_dcfromlist
2542  *
2543  * This method walks the list of DCs and returns the first DC that
2544  * responds to ldap ping.
2545  *
2546  * Returns a pointer to the found DC record.
2547  * Returns NULL if no DC record is found.
2548  */
2549 static smb_ads_host_info_t *
2550 smb_ads_select_dcfromlist(smb_ads_host_list_t *hlist)
2551 {
2552 	smb_ads_host_info_t *hentry;
2553 	size_t cnt;
2554 	int i;
2555 
2556 	cnt = hlist->ah_cnt;
2557 	for (i = 0; i < cnt; i++) {
2558 		hentry = &hlist->ah_list[i];
2559 		if (smb_ads_ldap_ping(hentry) == 0)
2560 			return (hentry);
2561 	}
2562 
2563 	return (NULL);
2564 }
2565 
2566 /*
2567  * smb_ads_dc_compare
2568  *
2569  * Comparision function for sorting host entries (SRV records of DC) via qsort.
2570  * RFC 2052/2782 are taken as reference, while implementing this algorithm.
2571  *
2572  * Domain Controllers(DCs) with lowest priority in their SRV DNS records
2573  * are selected first. If they have equal priorities, then DC with highest
2574  * weight in its SRV DNS record is selected. If the priority and weight are
2575  * both equal, then the DC at the top of the list is selected.
2576  */
2577 static int
2578 smb_ads_dc_compare(const void *p, const void *q)
2579 {
2580 	smb_ads_host_info_t *h1 = (smb_ads_host_info_t *)p;
2581 	smb_ads_host_info_t *h2 = (smb_ads_host_info_t *)q;
2582 
2583 	if (h1->priority < h2->priority)
2584 		return (-1);
2585 	if (h1->priority > h2->priority)
2586 		return (1);
2587 
2588 	/* Priorities are equal */
2589 	if (h1->weight < h2->weight)
2590 		return (1);
2591 	if (h1->weight > h2->weight)
2592 		return (-1);
2593 
2594 	return (0);
2595 }
2596 
2597 /*
2598  * smb_ads_select_dc
2599  *
2600  * The list of ADS hosts returned by ADS lookup, is sorted by lowest priority
2601  * and highest weight. On this sorted list, following additional rules are
2602  * applied, to select a DC.
2603  *
2604  *  - If there is a DC in the same subnet, then return the DC,
2605  *    if it responds to ldap ping.
2606  *  - Else, return first DC that responds to ldap ping.
2607  *
2608  * A reference to the host entry from input host list is returned.
2609  *
2610  * Returns NULL on error.
2611  */
2612 static smb_ads_host_info_t *
2613 smb_ads_select_dc(smb_ads_host_list_t *hlist)
2614 {
2615 	smb_ads_host_info_t *hentry = NULL;
2616 
2617 	if (hlist->ah_cnt == 0)
2618 		return (NULL);
2619 
2620 	if (hlist->ah_cnt == 1) {
2621 		hentry = hlist->ah_list;
2622 		if (smb_ads_ldap_ping(hentry) == 0)
2623 			return (hentry);
2624 	}
2625 
2626 	/* Sort the list by priority and weight */
2627 	qsort(hlist->ah_list, hlist->ah_cnt,
2628 	    sizeof (smb_ads_host_info_t), smb_ads_dc_compare);
2629 
2630 	if ((hentry = smb_ads_select_dcfromsubnet(hlist)) != NULL)
2631 		return (hentry);
2632 
2633 	if ((hentry = smb_ads_select_dcfromlist(hlist)) != NULL)
2634 		return (hentry);
2635 
2636 	return (NULL);
2637 }
2638 
2639 /*
2640  * smb_ads_lookup_msdcs
2641  *
2642  * If server argument is set, try to locate the specified DC.
2643  * If it is set to empty string, locate any DCs in the specified domain.
2644  * Returns the discovered DC via buf.
2645  *
2646  * fqdn	  - fully-qualified domain name
2647  * server - fully-qualifed hostname of a DC
2648  * buf    - the hostname of the discovered DC
2649  */
2650 boolean_t
2651 smb_ads_lookup_msdcs(char *fqdn, char *server, char *buf, uint32_t buflen)
2652 {
2653 	smb_ads_host_info_t *hinfo = NULL;
2654 	char *p;
2655 	char *sought_host;
2656 	char ipstr[INET6_ADDRSTRLEN];
2657 
2658 	if (!fqdn || !buf)
2659 		return (B_FALSE);
2660 
2661 	ipstr[0] = '\0';
2662 	*buf = '\0';
2663 	sought_host = (*server == 0 ? NULL : server);
2664 	if ((hinfo = smb_ads_find_host(fqdn, sought_host)) == NULL)
2665 		return (B_FALSE);
2666 
2667 	(void) smb_inet_ntop(&hinfo->ipaddr, ipstr,
2668 	    SMB_IPSTRLEN(hinfo->ipaddr.a_family));
2669 	smb_tracef("msdcsLookupADS: %s [%s]", hinfo->name, ipstr);
2670 
2671 	(void) strlcpy(buf, hinfo->name, buflen);
2672 	/*
2673 	 * Remove the domain extension
2674 	 */
2675 	if ((p = strchr(buf, '.')) != 0)
2676 		*p = '\0';
2677 
2678 	free(hinfo);
2679 	return (B_TRUE);
2680 }
2681