1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright 2009 Sun Microsystems, Inc. All rights reserved. 23 * Use is subject to license terms. 24 */ 25 26 #include <sys/param.h> 27 #include <ldap.h> 28 #include <stdlib.h> 29 #include <gssapi/gssapi.h> 30 #include <sys/types.h> 31 #include <sys/socket.h> 32 #include <netinet/in.h> 33 #include <arpa/inet.h> 34 #include <sys/time.h> 35 #include <netdb.h> 36 #include <pthread.h> 37 #include <unistd.h> 38 #include <arpa/nameser.h> 39 #include <resolv.h> 40 #include <sys/synch.h> 41 #include <string.h> 42 #include <strings.h> 43 #include <fcntl.h> 44 #include <sys/types.h> 45 #include <sys/stat.h> 46 #include <assert.h> 47 48 #include <smbsrv/libsmbns.h> 49 #include <smbns_dyndns.h> 50 #include <smbns_krb.h> 51 52 #define SMB_ADS_MAXBUFLEN 100 53 #define SMB_ADS_DN_MAX 300 54 #define SMB_ADS_MAXMSGLEN 512 55 #define SMB_ADS_COMPUTERS_CN "Computers" 56 #define SMB_ADS_COMPUTER_NUM_ATTR 8 57 #define SMB_ADS_SHARE_NUM_ATTR 3 58 #define SMB_ADS_SITE_MAX MAXHOSTNAMELEN 59 60 #define SMB_ADS_MSDCS_SRV_DC_RR "_ldap._tcp.dc._msdcs" 61 #define SMB_ADS_MSDCS_SRV_SITE_RR "_ldap._tcp.%s._sites.dc._msdcs" 62 63 /* 64 * domainControllerFunctionality 65 * 66 * This rootDSE attribute indicates the functional level of the DC. 67 */ 68 #define SMB_ADS_ATTR_DCLEVEL "domainControllerFunctionality" 69 #define SMB_ADS_DCLEVEL_W2K 0 70 #define SMB_ADS_DCLEVEL_W2K3 2 71 #define SMB_ADS_DCLEVEL_W2K8 3 72 #define SMB_ADS_DCLEVEL_W2K8_R2 4 73 74 /* 75 * msDs-supportedEncryptionTypes (Windows Server 2008 only) 76 * 77 * This attribute defines the encryption types supported by the system. 78 * Encryption Types: 79 * - DES cbc mode with CRC-32 80 * - DES cbc mode with RSA-MD5 81 * - ArcFour with HMAC/md5 82 * - AES-128 83 * - AES-256 84 */ 85 #define SMB_ADS_ATTR_ENCTYPES "msDs-supportedEncryptionTypes" 86 #define SMB_ADS_ENC_DES_CRC 1 87 #define SMB_ADS_ENC_DES_MD5 2 88 #define SMB_ADS_ENC_RC4 4 89 #define SMB_ADS_ENC_AES128 8 90 #define SMB_ADS_ENC_AES256 16 91 92 #define SMB_ADS_ATTR_SAMACCT "sAMAccountName" 93 #define SMB_ADS_ATTR_UPN "userPrincipalName" 94 #define SMB_ADS_ATTR_SPN "servicePrincipalName" 95 #define SMB_ADS_ATTR_CTL "userAccountControl" 96 #define SMB_ADS_ATTR_DNSHOST "dNSHostName" 97 #define SMB_ADS_ATTR_KVNO "msDS-KeyVersionNumber" 98 #define SMB_ADS_ATTR_DN "distinguishedName" 99 100 /* 101 * UserAccountControl flags: manipulate user account properties. 102 * 103 * The hexadecimal value of the following property flags are based on MSDN 104 * article # 305144. 105 */ 106 #define SMB_ADS_USER_ACCT_CTL_SCRIPT 0x00000001 107 #define SMB_ADS_USER_ACCT_CTL_ACCOUNTDISABLE 0x00000002 108 #define SMB_ADS_USER_ACCT_CTL_HOMEDIR_REQUIRED 0x00000008 109 #define SMB_ADS_USER_ACCT_CTL_LOCKOUT 0x00000010 110 #define SMB_ADS_USER_ACCT_CTL_PASSWD_NOTREQD 0x00000020 111 #define SMB_ADS_USER_ACCT_CTL_PASSWD_CANT_CHANGE 0x00000040 112 #define SMB_ADS_USER_ACCT_CTL_ENCRYPTED_TEXT_PWD_ALLOWED 0x00000080 113 #define SMB_ADS_USER_ACCT_CTL_TMP_DUP_ACCT 0x00000100 114 #define SMB_ADS_USER_ACCT_CTL_NORMAL_ACCT 0x00000200 115 #define SMB_ADS_USER_ACCT_CTL_INTERDOMAIN_TRUST_ACCT 0x00000800 116 #define SMB_ADS_USER_ACCT_CTL_WKSTATION_TRUST_ACCT 0x00001000 117 #define SMB_ADS_USER_ACCT_CTL_SRV_TRUST_ACCT 0x00002000 118 #define SMB_ADS_USER_ACCT_CTL_DONT_EXPIRE_PASSWD 0x00010000 119 #define SMB_ADS_USER_ACCT_CTL_MNS_LOGON_ACCT 0x00020000 120 #define SMB_ADS_USER_ACCT_CTL_SMARTCARD_REQUIRED 0x00040000 121 #define SMB_ADS_USER_ACCT_CTL_TRUSTED_FOR_DELEGATION 0x00080000 122 #define SMB_ADS_USER_ACCT_CTL_NOT_DELEGATED 0x00100000 123 #define SMB_ADS_USER_ACCT_CTL_USE_DES_KEY_ONLY 0x00200000 124 #define SMB_ADS_USER_ACCT_CTL_DONT_REQ_PREAUTH 0x00400000 125 #define SMB_ADS_USER_ACCT_CTL_PASSWD_EXPIRED 0x00800000 126 #define SMB_ADS_USER_ACCT_CTL_TRUSTED_TO_AUTH_FOR_DELEGATION 0x01000000 127 128 /* 129 * Length of "dc=" prefix. 130 */ 131 #define SMB_ADS_DN_PREFIX_LEN 3 132 133 static char *smb_ads_computer_objcls[] = { 134 "top", "person", "organizationalPerson", 135 "user", "computer", NULL 136 }; 137 138 static char *smb_ads_share_objcls[] = { 139 "top", "leaf", "connectionPoint", "volume", NULL 140 }; 141 142 /* Cached ADS server to communicate with */ 143 static smb_ads_host_info_t *smb_ads_cached_host_info = NULL; 144 static mutex_t smb_ads_cached_host_mtx; 145 146 /* 147 * SMB ADS config cache is maintained to facilitate the detection of 148 * changes in configuration that is relevant to AD selection. 149 */ 150 typedef struct smb_ads_config { 151 char c_site[SMB_ADS_SITE_MAX]; 152 smb_inaddr_t c_pdc; 153 mutex_t c_mtx; 154 } smb_ads_config_t; 155 156 static smb_ads_config_t smb_ads_cfg; 157 158 159 /* attribute/value pair */ 160 typedef struct smb_ads_avpair { 161 char *avp_attr; 162 char *avp_val; 163 } smb_ads_avpair_t; 164 165 /* query status */ 166 typedef enum smb_ads_qstat { 167 SMB_ADS_STAT_ERR = -2, 168 SMB_ADS_STAT_DUP, 169 SMB_ADS_STAT_NOT_FOUND, 170 SMB_ADS_STAT_FOUND 171 } smb_ads_qstat_t; 172 173 typedef struct smb_ads_host_list { 174 int ah_cnt; 175 smb_ads_host_info_t *ah_list; 176 } smb_ads_host_list_t; 177 178 static smb_ads_handle_t *smb_ads_open_main(char *, char *, char *); 179 static int smb_ads_bind(smb_ads_handle_t *); 180 static int smb_ads_add_computer(smb_ads_handle_t *, int, char *); 181 static int smb_ads_modify_computer(smb_ads_handle_t *, int, char *); 182 static int smb_ads_computer_op(smb_ads_handle_t *, int, int, char *); 183 static smb_ads_qstat_t smb_ads_lookup_computer_n_attr(smb_ads_handle_t *, 184 smb_ads_avpair_t *, int, char *); 185 static int smb_ads_update_computer_cntrl_attr(smb_ads_handle_t *, int, char *); 186 static krb5_kvno smb_ads_lookup_computer_attr_kvno(smb_ads_handle_t *, char *); 187 static void smb_ads_gen_machine_passwd(char *, int); 188 static void smb_ads_free_cached_host(void); 189 static int smb_ads_get_spnset(char *, char **); 190 static void smb_ads_free_spnset(char **); 191 static int smb_ads_alloc_attr(LDAPMod **, int); 192 static void smb_ads_free_attr(LDAPMod **); 193 static int smb_ads_get_dc_level(smb_ads_handle_t *); 194 static smb_ads_host_info_t *smb_ads_select_dc(smb_ads_host_list_t *); 195 static smb_ads_qstat_t smb_ads_find_computer(smb_ads_handle_t *, char *); 196 static smb_ads_qstat_t smb_ads_getattr(LDAP *, LDAPMessage *, 197 smb_ads_avpair_t *); 198 static smb_ads_qstat_t smb_ads_get_qstat(smb_ads_handle_t *, LDAPMessage *, 199 smb_ads_avpair_t *); 200 static boolean_t smb_ads_match_pdc(smb_ads_host_info_t *); 201 static boolean_t smb_ads_is_sought_host(smb_ads_host_info_t *, char *); 202 static boolean_t smb_ads_is_same_domain(char *, char *); 203 static boolean_t smb_ads_is_pdc_configured(void); 204 static smb_ads_host_info_t *smb_ads_dup_host_info(smb_ads_host_info_t *); 205 206 /* 207 * smb_ads_init 208 * 209 * Initializes the ADS config cache. 210 */ 211 void 212 smb_ads_init(void) 213 { 214 (void) mutex_lock(&smb_ads_cfg.c_mtx); 215 (void) smb_config_getstr(SMB_CI_ADS_SITE, 216 smb_ads_cfg.c_site, SMB_ADS_SITE_MAX); 217 (void) smb_config_getip(SMB_CI_DOMAIN_SRV, &smb_ads_cfg.c_pdc); 218 (void) mutex_unlock(&smb_ads_cfg.c_mtx); 219 } 220 221 void 222 smb_ads_fini(void) 223 { 224 smb_ads_free_cached_host(); 225 } 226 227 /* 228 * smb_ads_refresh 229 * 230 * This function will be called when smb/server SMF service is refreshed. 231 * Clearing the smb_ads_cached_host_info would allow the next DC 232 * discovery process to pick up an AD based on the new AD configuration. 233 */ 234 void 235 smb_ads_refresh(void) 236 { 237 char new_site[SMB_ADS_SITE_MAX]; 238 smb_inaddr_t new_pdc; 239 boolean_t purge = B_FALSE; 240 241 (void) smb_config_getstr(SMB_CI_ADS_SITE, new_site, SMB_ADS_SITE_MAX); 242 (void) smb_config_getip(SMB_CI_DOMAIN_SRV, &new_pdc); 243 (void) mutex_lock(&smb_ads_cfg.c_mtx); 244 if (utf8_strcasecmp(smb_ads_cfg.c_site, new_site)) { 245 (void) strlcpy(smb_ads_cfg.c_site, new_site, SMB_ADS_SITE_MAX); 246 purge = B_TRUE; 247 } 248 249 smb_ads_cfg.c_pdc = new_pdc; 250 (void) mutex_unlock(&smb_ads_cfg.c_mtx); 251 252 (void) mutex_lock(&smb_ads_cached_host_mtx); 253 if (smb_ads_cached_host_info && 254 smb_ads_is_pdc_configured() && 255 !smb_ads_match_pdc(smb_ads_cached_host_info)) 256 purge = B_TRUE; 257 (void) mutex_unlock(&smb_ads_cached_host_mtx); 258 259 if (purge) 260 smb_ads_free_cached_host(); 261 } 262 263 264 265 static boolean_t 266 smb_ads_is_pdc_configured(void) 267 { 268 boolean_t configured; 269 270 (void) mutex_lock(&smb_ads_cfg.c_mtx); 271 configured = !smb_inet_iszero(&smb_ads_cfg.c_pdc); 272 (void) mutex_unlock(&smb_ads_cfg.c_mtx); 273 274 return (configured); 275 } 276 277 /* 278 * smb_ads_build_unc_name 279 * 280 * Construct the UNC name of the share object in the format of 281 * \\hostname.domain\shareUNC 282 * 283 * Returns 0 on success, -1 on error. 284 */ 285 int 286 smb_ads_build_unc_name(char *unc_name, int maxlen, 287 const char *hostname, const char *shareUNC) 288 { 289 char my_domain[MAXHOSTNAMELEN]; 290 291 if (smb_getfqdomainname(my_domain, sizeof (my_domain)) != 0) 292 return (-1); 293 294 (void) snprintf(unc_name, maxlen, "\\\\%s.%s\\%s", 295 hostname, my_domain, shareUNC); 296 return (0); 297 } 298 299 /* 300 * smb_ads_ldap_ping 301 * 302 * This is used to bind to an ADS server to see 303 * if it is still alive. 304 * 305 * Returns: 306 * -1: error 307 * 0: successful 308 */ 309 /*ARGSUSED*/ 310 static int 311 smb_ads_ldap_ping(smb_ads_host_info_t *ads_host) 312 { 313 int ldversion = LDAP_VERSION3, status, timeoutms = 5 * 1000; 314 LDAP *ld = NULL; 315 316 ld = ldap_init(ads_host->name, ads_host->port); 317 if (ld == NULL) 318 return (-1); 319 320 ldversion = LDAP_VERSION3; 321 (void) ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, &ldversion); 322 /* setup TCP/IP connect timeout */ 323 (void) ldap_set_option(ld, LDAP_X_OPT_CONNECT_TIMEOUT, &timeoutms); 324 325 status = ldap_bind_s(ld, "", NULL, LDAP_AUTH_SIMPLE); 326 327 if (status != LDAP_SUCCESS) { 328 (void) ldap_unbind(ld); 329 return (-1); 330 } 331 332 (void) ldap_unbind(ld); 333 334 return (0); 335 } 336 337 /* 338 * The cached ADS host is no longer valid if one of the following criteria 339 * is satisfied: 340 * 341 * 1) not in the specified domain 342 * 2) not the sought host (if specified) 343 * 3) not reachable 344 * 345 * The caller is responsible for acquiring the smb_ads_cached_host_mtx lock 346 * prior to calling this function. 347 * 348 * Return B_TRUE if the cache host is still valid. Otherwise, return B_FALSE. 349 */ 350 static boolean_t 351 smb_ads_validate_cache_host(char *domain, char *srv) 352 { 353 if (!smb_ads_cached_host_info) 354 return (B_FALSE); 355 356 if (!smb_ads_is_same_domain(smb_ads_cached_host_info->name, domain)) 357 return (B_FALSE); 358 359 if (smb_ads_ldap_ping(smb_ads_cached_host_info) == 0) { 360 if (!srv) 361 return (B_TRUE); 362 363 if (smb_ads_is_sought_host(smb_ads_cached_host_info, srv)) 364 return (B_TRUE); 365 } 366 367 return (B_FALSE); 368 } 369 370 /* 371 * smb_ads_is_sought_host 372 * 373 * Returns true, if the sought host name matches the input host (host) name. 374 * The sought host is expected to be in Fully Qualified Domain Name (FQDN) 375 * format. 376 */ 377 static boolean_t 378 smb_ads_is_sought_host(smb_ads_host_info_t *host, char *sought_host_name) 379 { 380 if ((host == NULL) || (sought_host_name == NULL)) 381 return (B_FALSE); 382 383 if (utf8_strcasecmp(host->name, sought_host_name)) 384 return (B_FALSE); 385 386 return (B_TRUE); 387 } 388 389 /* 390 * smb_ads_match_hosts_same_domain 391 * 392 * Returns true, if the cached ADS host is in the same domain as the 393 * current (given) domain. 394 */ 395 static boolean_t 396 smb_ads_is_same_domain(char *cached_host_name, char *current_domain) 397 { 398 char *cached_host_domain; 399 400 if ((cached_host_name == NULL) || (current_domain == NULL)) 401 return (B_FALSE); 402 403 cached_host_domain = strchr(cached_host_name, '.'); 404 if (cached_host_domain == NULL) 405 return (B_FALSE); 406 407 ++cached_host_domain; 408 if (utf8_strcasecmp(cached_host_domain, current_domain)) 409 return (B_FALSE); 410 411 return (B_TRUE); 412 } 413 414 /* 415 * smb_ads_skip_ques_sec 416 * Skips the question section. 417 */ 418 static int 419 smb_ads_skip_ques_sec(int qcnt, uchar_t **ptr, uchar_t *eom) 420 { 421 int i, len; 422 423 for (i = 0; i < qcnt; i++) { 424 if ((len = dn_skipname(*ptr, eom)) < 0) 425 return (-1); 426 427 *ptr += len + QFIXEDSZ; 428 } 429 430 return (0); 431 } 432 433 /* 434 * smb_ads_decode_host_ans_sec 435 * Decodes ADS hosts, priority, weight and port number from the answer 436 * section based on the current buffer pointer. 437 */ 438 static int 439 smb_ads_decode_host_ans_sec(int ans_cnt, uchar_t **ptr, uchar_t *eom, 440 uchar_t *buf, smb_ads_host_info_t *ads_host_list) 441 { 442 int i, len; 443 smb_ads_host_info_t *ads_host; 444 445 for (i = 0; i < ans_cnt; i++) { 446 ads_host = &ads_host_list[i]; 447 448 if ((len = dn_skipname(*ptr, eom)) < 0) 449 return (-1); 450 451 452 *ptr += len; 453 454 /* skip type, class, ttl */ 455 *ptr += 8; 456 /* data size */ 457 *ptr += 2; 458 459 /* Get priority, weight */ 460 /* LINTED: E_CONSTANT_CONDITION */ 461 NS_GET16(ads_host->priority, *ptr); 462 /* LINTED: E_CONSTANT_CONDITION */ 463 NS_GET16(ads_host->weight, *ptr); 464 465 /* port */ 466 /* LINTED: E_CONSTANT_CONDITION */ 467 NS_GET16(ads_host->port, *ptr); 468 /* domain name */ 469 len = dn_expand(buf, eom, *ptr, ads_host->name, MAXHOSTNAMELEN); 470 if (len < 0) 471 return (-1); 472 473 *ptr += len; 474 } 475 476 return (0); 477 } 478 479 /* 480 * smb_ads_skip_auth_sec 481 * Skips the authority section. 482 */ 483 static int 484 smb_ads_skip_auth_sec(int ns_cnt, uchar_t **ptr, uchar_t *eom) 485 { 486 int i, len; 487 uint16_t size; 488 489 for (i = 0; i < ns_cnt; i++) { 490 if ((len = dn_skipname(*ptr, eom)) < 0) 491 return (-1); 492 493 *ptr += len; 494 /* skip type, class, ttl */ 495 *ptr += 8; 496 /* get len of data */ 497 /* LINTED: E_CONSTANT_CONDITION */ 498 NS_GET16(size, *ptr); 499 if ((*ptr + size) > eom) 500 return (-1); 501 502 *ptr += size; 503 } 504 505 return (0); 506 } 507 508 /* 509 * smb_ads_decode_host_ip 510 * 511 * Decodes ADS hosts and IP Addresses from the additional section based 512 * on the current buffer pointer. 513 */ 514 static int 515 smb_ads_decode_host_ip(int addit_cnt, int ans_cnt, uchar_t **ptr, 516 uchar_t *eom, uchar_t *buf, smb_ads_host_info_t *ads_host_list) 517 { 518 int i, j, len; 519 smb_inaddr_t ipaddr; 520 char hostname[MAXHOSTNAMELEN]; 521 char *name; 522 uint16_t size = 0; 523 524 for (i = 0; i < addit_cnt; i++) { 525 526 /* domain name */ 527 len = dn_expand(buf, eom, *ptr, hostname, MAXHOSTNAMELEN); 528 if (len < 0) 529 return (-1); 530 531 *ptr += len; 532 533 /* skip type, class, TTL, data len */ 534 *ptr += 8; 535 /* LINTED: E_CONSTANT_CONDITION */ 536 NS_GET16(size, *ptr); 537 538 if (size == INADDRSZ) { 539 /* LINTED: E_CONSTANT_CONDITION */ 540 NS_GET32(ipaddr.a_ipv4, *ptr); 541 ipaddr.a_ipv4 = htonl(ipaddr.a_ipv4); 542 ipaddr.a_family = AF_INET; 543 } else if (size == IN6ADDRSZ) { 544 #ifdef BIG_ENDIAN 545 bcopy(*ptr, &ipaddr.a_ipv6, IN6ADDRSZ); 546 #else 547 for (i = 0; i < IN6ADDRSZ; i++) 548 (uint8_t *)(ipaddr.a_ipv6) 549 [IN6ADDRSZ-1-i] = *(*ptr+i); 550 #endif 551 ipaddr.a_family = AF_INET6; 552 } 553 554 /* 555 * find the host in the list of DC records from 556 * the answer section, that matches the host in the 557 * additional section, and set its IP address. 558 */ 559 for (j = 0; j < ans_cnt; j++) { 560 if ((name = ads_host_list[j].name) == NULL) 561 continue; 562 if (utf8_strcasecmp(name, hostname) == 0) { 563 ads_host_list[j].ipaddr = ipaddr; 564 } 565 } 566 } 567 return (0); 568 } 569 570 /* 571 * smb_ads_dup_host_info 572 * 573 * Duplicates the passed smb_ads_host_info_t structure. 574 * Caller must free memory allocated by this method. 575 * 576 * Returns a reference to the duplicated smb_ads_host_info_t structure. 577 * Returns NULL on error. 578 */ 579 static smb_ads_host_info_t * 580 smb_ads_dup_host_info(smb_ads_host_info_t *ads_host) 581 { 582 smb_ads_host_info_t *dup_host; 583 584 if (ads_host == NULL) 585 return (NULL); 586 587 dup_host = malloc(sizeof (smb_ads_host_info_t)); 588 589 if (dup_host != NULL) 590 bcopy(ads_host, dup_host, sizeof (smb_ads_host_info_t)); 591 592 return (dup_host); 593 } 594 595 /* 596 * smb_ads_hlist_alloc 597 */ 598 smb_ads_host_list_t * 599 smb_ads_hlist_alloc(int count) 600 { 601 int size; 602 smb_ads_host_list_t *hlist; 603 604 if (count == 0) 605 return (NULL); 606 607 size = sizeof (smb_ads_host_info_t) * count; 608 hlist = (smb_ads_host_list_t *)malloc(sizeof (smb_ads_host_list_t)); 609 if (hlist == NULL) 610 return (NULL); 611 612 hlist->ah_cnt = count; 613 hlist->ah_list = (smb_ads_host_info_t *)malloc(size); 614 if (hlist->ah_list == NULL) { 615 free(hlist); 616 return (NULL); 617 } 618 619 bzero(hlist->ah_list, size); 620 return (hlist); 621 } 622 623 /* 624 * smb_ads_hlist_free 625 */ 626 static void 627 smb_ads_hlist_free(smb_ads_host_list_t *host_list) 628 { 629 if (host_list == NULL) 630 return; 631 632 free(host_list->ah_list); 633 free(host_list); 634 } 635 636 /* 637 * smb_ads_query_dns_server 638 * 639 * This routine sends a DNS service location (SRV) query message to the 640 * DNS server via TCP to query it for a list of ADS server(s). Once a reply 641 * is received, the reply message is parsed to get the hostname. If there are IP 642 * addresses populated in the additional section then the additional section 643 * is parsed to obtain the IP addresses. 644 * 645 * The service location of _ldap._tcp.dc.msdcs.<ADS domain> is used to 646 * guarantee that Microsoft domain controllers are returned. Microsoft domain 647 * controllers are also ADS servers. 648 * 649 * The ADS hostnames are stored in the answer section of the DNS reply message. 650 * The IP addresses are stored in the additional section. 651 * 652 * The DNS reply message may be in compress formed. The compression is done 653 * on repeating domain name label in the message. i.e hostname. 654 * 655 * Upon successful completion, host list of ADS server(s) is returned. 656 */ 657 static smb_ads_host_list_t * 658 smb_ads_query_dns_server(char *domain, char *msdcs_svc_name) 659 { 660 smb_ads_host_list_t *hlist = NULL; 661 int len, qcnt, ans_cnt, ns_cnt, addit_cnt; 662 uchar_t *ptr, *eom; 663 struct __res_state res_state; 664 union { 665 HEADER hdr; 666 uchar_t buf[NS_MAXMSG]; 667 } msg; 668 669 bzero(&res_state, sizeof (struct __res_state)); 670 if (res_ninit(&res_state) < 0) 671 return (NULL); 672 673 /* use TCP */ 674 res_state.options |= RES_USEVC; 675 676 len = res_nquerydomain(&res_state, msdcs_svc_name, domain, 677 C_IN, T_SRV, msg.buf, sizeof (msg.buf)); 678 679 if (len < 0) { 680 syslog(LOG_NOTICE, "DNS query for %s failed: %s", 681 msdcs_svc_name, hstrerror(res_state.res_h_errno)); 682 res_ndestroy(&res_state); 683 return (NULL); 684 } 685 686 if (len > sizeof (msg.buf)) { 687 syslog(LOG_NOTICE, 688 "DNS query for %s failed: too big", msdcs_svc_name); 689 res_ndestroy(&res_state); 690 return (NULL); 691 } 692 693 /* parse the reply, skip header and question sections */ 694 ptr = msg.buf + sizeof (msg.hdr); 695 eom = msg.buf + len; 696 697 /* check truncated message bit */ 698 if (msg.hdr.tc) 699 syslog(LOG_NOTICE, 700 "DNS query for %s failed: truncated", msdcs_svc_name); 701 702 qcnt = ntohs(msg.hdr.qdcount); 703 ans_cnt = ntohs(msg.hdr.ancount); 704 ns_cnt = ntohs(msg.hdr.nscount); 705 addit_cnt = ntohs(msg.hdr.arcount); 706 707 if (smb_ads_skip_ques_sec(qcnt, &ptr, eom) != 0) { 708 res_ndestroy(&res_state); 709 return (NULL); 710 } 711 712 hlist = smb_ads_hlist_alloc(ans_cnt); 713 if (hlist == NULL) { 714 res_ndestroy(&res_state); 715 return (NULL); 716 } 717 718 /* walk through the answer section */ 719 if (smb_ads_decode_host_ans_sec(ans_cnt, &ptr, eom, msg.buf, 720 hlist->ah_list) != 0) { 721 smb_ads_hlist_free(hlist); 722 res_ndestroy(&res_state); 723 return (NULL); 724 } 725 726 /* check authority section */ 727 if (ns_cnt > 0) { 728 if (smb_ads_skip_auth_sec(ns_cnt, &ptr, eom) != 0) { 729 smb_ads_hlist_free(hlist); 730 res_ndestroy(&res_state); 731 return (NULL); 732 } 733 } 734 735 /* 736 * Check additional section to get IP address of ADS host. 737 */ 738 if (addit_cnt > 0) { 739 if (smb_ads_decode_host_ip(addit_cnt, ans_cnt, 740 &ptr, eom, msg.buf, hlist->ah_list) != 0) { 741 smb_ads_hlist_free(hlist); 742 res_ndestroy(&res_state); 743 return (NULL); 744 } 745 } 746 747 res_ndestroy(&res_state); 748 return (hlist); 749 } 750 751 /* 752 * smb_ads_get_site_service 753 * 754 * Gets the msdcs SRV RR for the specified site. 755 */ 756 static void 757 smb_ads_get_site_service(char *site_service, size_t len) 758 { 759 (void) mutex_lock(&smb_ads_cfg.c_mtx); 760 if (*smb_ads_cfg.c_site == '\0') 761 *site_service = '\0'; 762 else 763 (void) snprintf(site_service, len, 764 SMB_ADS_MSDCS_SRV_SITE_RR, smb_ads_cfg.c_site); 765 766 (void) mutex_unlock(&smb_ads_cfg.c_mtx); 767 } 768 769 /* 770 * smb_ads_getipnodebyname 771 * 772 * This method gets the IP address by doing a host name lookup. 773 */ 774 static int 775 smb_ads_getipnodebyname(smb_ads_host_info_t *hentry) 776 { 777 struct hostent *h; 778 int error; 779 780 switch (hentry->ipaddr.a_family) { 781 case AF_INET6: 782 h = getipnodebyname(hentry->name, hentry->ipaddr.a_family, 783 AI_DEFAULT, &error); 784 if (h == NULL || h->h_length != IPV6_ADDR_LEN) 785 return (-1); 786 break; 787 788 case AF_INET: 789 h = getipnodebyname(hentry->name, hentry->ipaddr.a_family, 790 0, &error); 791 if (h == NULL || h->h_length != INADDRSZ) 792 return (-1); 793 break; 794 795 default: 796 return (-1); 797 } 798 bcopy(*(h->h_addr_list), &hentry->ipaddr.a_ip, h->h_length); 799 freehostent(h); 800 return (0); 801 } 802 803 /* 804 * smb_ads_find_host 805 * 806 * Finds an ADS host in a given domain. 807 * 808 * If the cached host is valid, it will be used. Otherwise, a DC will 809 * be selected based on the following criteria: 810 * 811 * 1) pdc (aka preferred DC) configuration 812 * 2) AD site configuration - the scope of the DNS lookup will be 813 * restricted to the specified site. 814 * 3) DC on the same subnet 815 * 4) DC with the lowest priority/highest weight 816 * 817 * The above items are listed in decreasing preference order. The selected 818 * DC must be online. 819 * 820 * If this function is called during domain join, the specified kpasswd server 821 * takes precedence over preferred DC, AD site, and so on. 822 * 823 * Parameters: 824 * domain: fully-qualified domain name. 825 * kpasswd_srv: fully-quailifed hostname of the kpasswd server. 826 * 827 * Returns: 828 * A copy of the cached host info is returned. The caller is responsible 829 * for deallocating the memory returned by this function. 830 */ 831 /*ARGSUSED*/ 832 smb_ads_host_info_t * 833 smb_ads_find_host(char *domain, char *kpasswd_srv) 834 { 835 int i; 836 char site_service[MAXHOSTNAMELEN]; 837 smb_ads_host_list_t *hlist, *hlist2; 838 smb_ads_host_info_t *hlistp = NULL, *host = NULL; 839 smb_ads_host_info_t *found_kpasswd_srv = NULL; 840 smb_ads_host_info_t *found_pdc = NULL; 841 842 if ((kpasswd_srv) && (*kpasswd_srv == '\0')) 843 kpasswd_srv = NULL; 844 845 (void) mutex_lock(&smb_ads_cached_host_mtx); 846 if (smb_ads_validate_cache_host(domain, kpasswd_srv)) { 847 host = smb_ads_dup_host_info(smb_ads_cached_host_info); 848 (void) mutex_unlock(&smb_ads_cached_host_mtx); 849 return (host); 850 } 851 852 (void) mutex_unlock(&smb_ads_cached_host_mtx); 853 smb_ads_free_cached_host(); 854 855 /* 856 * First look for ADS hosts in ADS site if configured. Then try 857 * without ADS site info. 858 */ 859 hlist = NULL; 860 smb_ads_get_site_service(site_service, MAXHOSTNAMELEN); 861 862 /* 863 * If we're given an AD, the DNS SRV RR lookup should not be restricted 864 * to the specified site since there is no guarantee that the specified 865 * AD is in the specified site. 866 */ 867 if (*site_service != '\0' && !kpasswd_srv && 868 !smb_ads_is_pdc_configured()) 869 hlist = smb_ads_query_dns_server(domain, site_service); 870 871 if (!hlist) 872 hlist = smb_ads_query_dns_server(domain, 873 SMB_ADS_MSDCS_SRV_DC_RR); 874 875 if ((hlist == NULL) || (hlist->ah_list == NULL) || (hlist->ah_cnt == 0)) 876 return (NULL); 877 878 for (i = 0, hlistp = hlist->ah_list; i < hlist->ah_cnt; i++) { 879 /* Do a host lookup by hostname to get the IP address */ 880 if (smb_inet_iszero(&hlistp[i].ipaddr)) { 881 if (smb_ads_getipnodebyname(&hlistp[i]) < 0) 882 continue; 883 } 884 885 if (smb_ads_is_sought_host(&hlistp[i], kpasswd_srv)) 886 found_kpasswd_srv = &hlistp[i]; 887 888 if (smb_ads_match_pdc(&hlistp[i])) 889 found_pdc = &hlistp[i]; 890 } 891 892 if (found_kpasswd_srv && smb_ads_ldap_ping(found_kpasswd_srv) == 0) { 893 host = found_kpasswd_srv; 894 goto update_cache; 895 } 896 897 if (found_pdc && smb_ads_ldap_ping(found_pdc) == 0) { 898 host = found_pdc; 899 goto update_cache; 900 } 901 902 /* 903 * If the specified DC (kpasswd_srv or pdc) is not found, fallback 904 * to find a DC in the specified AD site. 905 */ 906 if (*site_service != '\0' && 907 (kpasswd_srv || smb_ads_is_pdc_configured())) { 908 hlist2 = smb_ads_query_dns_server(domain, site_service); 909 if (hlist2 && hlist2->ah_list && hlist2->ah_cnt != 0) { 910 smb_ads_hlist_free(hlist); 911 hlist = hlist2; 912 hlistp = hlist->ah_list; 913 914 for (i = 0; i < hlist->ah_cnt; i++) { 915 if (smb_inet_iszero(&hlistp[i].ipaddr) && 916 smb_ads_getipnodebyname(&hlistp[i]) < 0) 917 continue; 918 } 919 } 920 } 921 922 /* Select DC from DC list */ 923 host = smb_ads_select_dc(hlist); 924 925 update_cache: 926 if (host) { 927 (void) mutex_lock(&smb_ads_cached_host_mtx); 928 if (!smb_ads_cached_host_info) 929 smb_ads_cached_host_info = smb_ads_dup_host_info(host); 930 host = smb_ads_dup_host_info(smb_ads_cached_host_info); 931 (void) mutex_unlock(&smb_ads_cached_host_mtx); 932 } 933 934 smb_ads_hlist_free(hlist); 935 return (host); 936 } 937 938 /* 939 * Return the number of dots in a string. 940 */ 941 static int 942 smb_ads_count_dots(const char *s) 943 { 944 int ndots = 0; 945 946 while (*s) { 947 if (*s++ == '.') 948 ndots++; 949 } 950 951 return (ndots); 952 } 953 954 /* 955 * Convert a domain name in dot notation to distinguished name format, 956 * for example: sun.com -> dc=sun,dc=com. 957 * 958 * Returns a pointer to an allocated buffer containing the distinguished 959 * name. 960 */ 961 static char * 962 smb_ads_convert_domain(const char *domain_name) 963 { 964 const char *s; 965 char *dn_name; 966 char buf[2]; 967 int ndots; 968 int len; 969 970 if (domain_name == NULL || *domain_name == 0) 971 return (NULL); 972 973 ndots = smb_ads_count_dots(domain_name); 974 ++ndots; 975 len = strlen(domain_name) + (ndots * SMB_ADS_DN_PREFIX_LEN) + 1; 976 977 if ((dn_name = malloc(len)) == NULL) 978 return (NULL); 979 980 bzero(dn_name, len); 981 (void) strlcpy(dn_name, "dc=", len); 982 983 buf[1] = '\0'; 984 s = domain_name; 985 986 while (*s) { 987 if (*s == '.') { 988 (void) strlcat(dn_name, ",dc=", len); 989 } else { 990 buf[0] = *s; 991 (void) strlcat(dn_name, buf, len); 992 } 993 ++s; 994 } 995 996 return (dn_name); 997 } 998 999 /* 1000 * smb_ads_free_cached_host 1001 * 1002 * Free the memory use by the global smb_ads_cached_host_info & set it to NULL. 1003 */ 1004 static void 1005 smb_ads_free_cached_host(void) 1006 { 1007 (void) mutex_lock(&smb_ads_cached_host_mtx); 1008 if (smb_ads_cached_host_info) { 1009 free(smb_ads_cached_host_info); 1010 smb_ads_cached_host_info = NULL; 1011 } 1012 (void) mutex_unlock(&smb_ads_cached_host_mtx); 1013 } 1014 1015 /* 1016 * smb_ads_open 1017 * Open a LDAP connection to an ADS server if the system is in domain mode. 1018 * Acquire both Kerberos TGT and LDAP service tickets for the host principal. 1019 * 1020 * This function should only be called after the system is successfully joined 1021 * to a domain. 1022 */ 1023 smb_ads_handle_t * 1024 smb_ads_open(void) 1025 { 1026 char domain[MAXHOSTNAMELEN]; 1027 1028 if (smb_config_get_secmode() != SMB_SECMODE_DOMAIN) 1029 return (NULL); 1030 1031 if (smb_getfqdomainname(domain, MAXHOSTNAMELEN) != 0) 1032 return (NULL); 1033 1034 return (smb_ads_open_main(domain, NULL, NULL)); 1035 } 1036 1037 /* 1038 * smb_ads_open_main 1039 * Open a LDAP connection to an ADS server. 1040 * If ADS is enabled and the administrative username, password, and 1041 * ADS domain are defined then query DNS to find an ADS server if this is the 1042 * very first call to this routine. After an ADS server is found then this 1043 * server will be used everytime this routine is called until the system is 1044 * rebooted or the ADS server becomes unavailable then an ADS server will 1045 * be queried again. After the connection is made then an ADS handle 1046 * is created to be returned. 1047 * 1048 * After the LDAP connection, the LDAP version will be set to 3 using 1049 * ldap_set_option(). 1050 * 1051 * The smb_ads_bind() routine is also called before the ADS handle is returned. 1052 * Parameters: 1053 * domain - fully-qualified domain name 1054 * user - the user account for whom the Kerberos TGT ticket and ADS 1055 * service tickets are acquired. 1056 * password - password of the specified user 1057 * 1058 * Returns: 1059 * NULL : can't connect to ADS server or other errors 1060 * smb_ads_handle_t* : handle to ADS server 1061 */ 1062 static smb_ads_handle_t * 1063 smb_ads_open_main(char *domain, char *user, char *password) 1064 { 1065 smb_ads_handle_t *ah; 1066 LDAP *ld; 1067 int version = 3; 1068 smb_ads_host_info_t *ads_host = NULL; 1069 1070 ads_host = smb_ads_find_host(domain, NULL); 1071 if (ads_host == NULL) 1072 return (NULL); 1073 1074 ah = (smb_ads_handle_t *)malloc(sizeof (smb_ads_handle_t)); 1075 if (ah == NULL) { 1076 free(ads_host); 1077 return (NULL); 1078 } 1079 1080 (void) memset(ah, 0, sizeof (smb_ads_handle_t)); 1081 1082 if ((ld = ldap_init(ads_host->name, ads_host->port)) == NULL) { 1083 smb_ads_free_cached_host(); 1084 free(ah); 1085 free(ads_host); 1086 return (NULL); 1087 } 1088 1089 if (ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, &version) 1090 != LDAP_SUCCESS) { 1091 smb_ads_free_cached_host(); 1092 free(ah); 1093 free(ads_host); 1094 (void) ldap_unbind(ld); 1095 return (NULL); 1096 } 1097 1098 (void) ldap_set_option(ld, LDAP_OPT_REFERRALS, LDAP_OPT_OFF); 1099 ah->ld = ld; 1100 ah->user = (user) ? strdup(user) : NULL; 1101 ah->pwd = (password) ? strdup(password) : NULL; 1102 ah->domain = strdup(domain); 1103 1104 if (ah->domain == NULL) { 1105 smb_ads_close(ah); 1106 free(ads_host); 1107 return (NULL); 1108 } 1109 1110 ah->domain_dn = smb_ads_convert_domain(domain); 1111 if (ah->domain_dn == NULL) { 1112 smb_ads_close(ah); 1113 free(ads_host); 1114 return (NULL); 1115 } 1116 1117 ah->hostname = strdup(ads_host->name); 1118 if (ah->hostname == NULL) { 1119 smb_ads_close(ah); 1120 free(ads_host); 1121 return (NULL); 1122 } 1123 (void) mutex_lock(&smb_ads_cfg.c_mtx); 1124 if (*smb_ads_cfg.c_site != '\0') { 1125 if ((ah->site = strdup(smb_ads_cfg.c_site)) == NULL) { 1126 smb_ads_close(ah); 1127 (void) mutex_unlock(&smb_ads_cfg.c_mtx); 1128 free(ads_host); 1129 return (NULL); 1130 } 1131 } else { 1132 ah->site = NULL; 1133 } 1134 (void) mutex_unlock(&smb_ads_cfg.c_mtx); 1135 1136 if (smb_ads_bind(ah) == -1) { 1137 smb_ads_close(ah); 1138 free(ads_host); 1139 return (NULL); 1140 } 1141 1142 free(ads_host); 1143 return (ah); 1144 } 1145 1146 /* 1147 * smb_ads_close 1148 * Close connection to ADS server and free memory allocated for ADS handle. 1149 * LDAP unbind is called here. 1150 * Parameters: 1151 * ah: handle to ADS server 1152 * Returns: 1153 * void 1154 */ 1155 void 1156 smb_ads_close(smb_ads_handle_t *ah) 1157 { 1158 int len; 1159 1160 if (ah == NULL) 1161 return; 1162 /* close and free connection resources */ 1163 if (ah->ld) 1164 (void) ldap_unbind(ah->ld); 1165 1166 free(ah->user); 1167 if (ah->pwd) { 1168 len = strlen(ah->pwd); 1169 /* zero out the memory that contains user's password */ 1170 if (len > 0) 1171 bzero(ah->pwd, len); 1172 free(ah->pwd); 1173 } 1174 free(ah->domain); 1175 free(ah->domain_dn); 1176 free(ah->hostname); 1177 free(ah->site); 1178 free(ah); 1179 } 1180 1181 /* 1182 * smb_ads_display_stat 1183 * Display error message for GSS-API routines. 1184 * Parameters: 1185 * maj: GSS major status 1186 * min: GSS minor status 1187 * Returns: 1188 * None 1189 */ 1190 static void 1191 smb_ads_display_stat(OM_uint32 maj, OM_uint32 min) 1192 { 1193 gss_buffer_desc msg; 1194 OM_uint32 msg_ctx = 0; 1195 OM_uint32 min2; 1196 (void) gss_display_status(&min2, maj, GSS_C_GSS_CODE, GSS_C_NULL_OID, 1197 &msg_ctx, &msg); 1198 smb_tracef("major status: %s", (char *)msg.value); 1199 (void) gss_release_buffer(&min2, &msg); 1200 (void) gss_display_status(&min2, min, GSS_C_MECH_CODE, GSS_C_NULL_OID, 1201 &msg_ctx, &msg); 1202 smb_tracef("minor status: %s", (char *)msg.value); 1203 (void) gss_release_buffer(&min2, &msg); 1204 } 1205 1206 /* 1207 * smb_ads_alloc_attr 1208 * 1209 * Since the attrs is a null-terminated array, all elements 1210 * in the array (except the last one) will point to allocated 1211 * memory. 1212 */ 1213 static int 1214 smb_ads_alloc_attr(LDAPMod *attrs[], int num) 1215 { 1216 int i; 1217 1218 bzero(attrs, num * sizeof (LDAPMod *)); 1219 for (i = 0; i < (num - 1); i++) { 1220 attrs[i] = (LDAPMod *)malloc(sizeof (LDAPMod)); 1221 if (attrs[i] == NULL) { 1222 smb_ads_free_attr(attrs); 1223 return (-1); 1224 } 1225 } 1226 1227 return (0); 1228 } 1229 1230 /* 1231 * smb_ads_free_attr 1232 * Free memory allocated when publishing a share. 1233 * Parameters: 1234 * attrs: an array of LDAPMod pointers 1235 * Returns: 1236 * None 1237 */ 1238 static void 1239 smb_ads_free_attr(LDAPMod *attrs[]) 1240 { 1241 int i; 1242 for (i = 0; attrs[i]; i++) { 1243 free(attrs[i]); 1244 } 1245 } 1246 1247 /* 1248 * smb_ads_get_spnset 1249 * 1250 * Derives the core set of SPNs based on the FQHN. 1251 * The spn_set is a null-terminated array of char pointers. 1252 * 1253 * Returns 0 upon success. Otherwise, returns -1. 1254 */ 1255 static int 1256 smb_ads_get_spnset(char *fqhost, char **spn_set) 1257 { 1258 int i; 1259 1260 bzero(spn_set, (SMBKRB5_SPN_IDX_MAX + 1) * sizeof (char *)); 1261 for (i = 0; i < SMBKRB5_SPN_IDX_MAX; i++) { 1262 if ((spn_set[i] = smb_krb5_get_spn(i, fqhost)) == NULL) { 1263 smb_ads_free_spnset(spn_set); 1264 return (-1); 1265 } 1266 } 1267 1268 return (0); 1269 } 1270 1271 /* 1272 * smb_ads_free_spnset 1273 * 1274 * Free the memory allocated for the set of SPNs. 1275 */ 1276 static void 1277 smb_ads_free_spnset(char **spn_set) 1278 { 1279 int i; 1280 for (i = 0; spn_set[i]; i++) 1281 free(spn_set[i]); 1282 } 1283 1284 /* 1285 * smb_ads_acquire_cred 1286 * Called by smb_ads_bind() to get a handle to administrative user's credential 1287 * stored locally on the system. The credential is the TGT. If the attempt at 1288 * getting handle fails then a second attempt will be made after getting a 1289 * new TGT. 1290 * Please look at smb_ads_bind() for more information. 1291 * 1292 * Paramters: 1293 * ah : handle to ADS server 1294 * kinit_retry: if 0 then a second attempt will be made to get handle to the 1295 * credential if the first attempt fails 1296 * Returns: 1297 * cred_handle: handle to the administrative user's credential (TGT) 1298 * oid : contains Kerberos 5 object identifier 1299 * kinit_retry: A 1 indicates that a second attempt has been made to get 1300 * handle to the credential and no further attempts can be made 1301 * -1 : error 1302 * 0 : success 1303 */ 1304 static int 1305 smb_ads_acquire_cred(smb_ads_handle_t *ah, gss_cred_id_t *cred_handle, 1306 gss_OID *oid, int *kinit_retry) 1307 { 1308 return (krb5_acquire_cred_kinit(ah->user, ah->pwd, cred_handle, oid, 1309 kinit_retry, "ads")); 1310 } 1311 1312 /* 1313 * smb_ads_establish_sec_context 1314 * Called by smb_ads_bind() to establish a security context to an LDAP service 1315 * on an ADS server. If the attempt at establishing the security context fails 1316 * then a second attempt will be made by smb_ads_bind() if a new TGT has not 1317 * been already obtained in ads_acquire_cred. The second attempt, if allowed, 1318 * will obtained a new TGT here and a new handle to the credential will also be 1319 * obtained in ads_acquire_cred. LDAP SASL bind is used to send and receive 1320 * the GSS tokens to and from the ADS server. 1321 * Please look at ads_bind for more information. 1322 * Paramters: 1323 * ah : handle to ADS server 1324 * cred_handle : handle to administrative user's credential (TGT) 1325 * oid : Kerberos 5 object identifier 1326 * kinit_retry : if 0 then a second attempt can be made to establish a 1327 * security context with ADS server if first attempt fails 1328 * Returns: 1329 * gss_context : security context to ADS server 1330 * sercred : encrypted ADS server's supported security layers 1331 * do_acquire_cred: if 1 then a second attempt will be made to establish a 1332 * security context with ADS server after getting a new 1333 * handle to the user's credential 1334 * kinit_retry : if 1 then a second attempt will be made to establish a 1335 * a security context and no further attempts can be made 1336 * -1 : error 1337 * 0 : success 1338 */ 1339 static int 1340 smb_ads_establish_sec_context(smb_ads_handle_t *ah, gss_ctx_id_t *gss_context, 1341 gss_cred_id_t cred_handle, gss_OID oid, struct berval **sercred, 1342 int *kinit_retry, int *do_acquire_cred) 1343 { 1344 OM_uint32 maj, min, time_rec; 1345 char service_name[SMB_ADS_MAXBUFLEN]; 1346 gss_buffer_desc send_tok, service_buf; 1347 gss_name_t target_name; 1348 gss_buffer_desc input; 1349 gss_buffer_desc *inputptr; 1350 struct berval cred; 1351 OM_uint32 ret_flags; 1352 int stat; 1353 int gss_flags; 1354 1355 (void) snprintf(service_name, SMB_ADS_MAXBUFLEN, "ldap@%s", 1356 ah->hostname); 1357 service_buf.value = service_name; 1358 service_buf.length = strlen(service_name)+1; 1359 if ((maj = gss_import_name(&min, &service_buf, 1360 (gss_OID) gss_nt_service_name, 1361 &target_name)) != GSS_S_COMPLETE) { 1362 smb_ads_display_stat(maj, min); 1363 if (oid != GSS_C_NO_OID) 1364 (void) gss_release_oid(&min, &oid); 1365 return (-1); 1366 } 1367 1368 *gss_context = GSS_C_NO_CONTEXT; 1369 *sercred = NULL; 1370 inputptr = GSS_C_NO_BUFFER; 1371 gss_flags = GSS_C_MUTUAL_FLAG; 1372 do { 1373 if (krb5_establish_sec_ctx_kinit(ah->user, ah->pwd, 1374 cred_handle, gss_context, target_name, oid, 1375 gss_flags, inputptr, &send_tok, 1376 &ret_flags, &time_rec, kinit_retry, 1377 do_acquire_cred, &maj, "ads") == -1) { 1378 if (oid != GSS_C_NO_OID) 1379 (void) gss_release_oid(&min, &oid); 1380 (void) gss_release_name(&min, &target_name); 1381 return (-1); 1382 } 1383 1384 cred.bv_val = send_tok.value; 1385 cred.bv_len = send_tok.length; 1386 if (*sercred) { 1387 ber_bvfree(*sercred); 1388 *sercred = NULL; 1389 } 1390 stat = ldap_sasl_bind_s(ah->ld, NULL, "GSSAPI", 1391 &cred, NULL, NULL, sercred); 1392 if (stat != LDAP_SUCCESS && 1393 stat != LDAP_SASL_BIND_IN_PROGRESS) { 1394 syslog(LOG_NOTICE, "ldap_sasl_bind: %s", 1395 ldap_err2string(stat)); 1396 if (oid != GSS_C_NO_OID) 1397 (void) gss_release_oid(&min, &oid); 1398 (void) gss_release_name(&min, &target_name); 1399 (void) gss_release_buffer(&min, &send_tok); 1400 return (-1); 1401 } 1402 input.value = (*sercred)->bv_val; 1403 input.length = (*sercred)->bv_len; 1404 inputptr = &input; 1405 if (send_tok.length > 0) 1406 (void) gss_release_buffer(&min, &send_tok); 1407 } while (maj != GSS_S_COMPLETE); 1408 1409 if (oid != GSS_C_NO_OID) 1410 (void) gss_release_oid(&min, &oid); 1411 (void) gss_release_name(&min, &target_name); 1412 1413 return (0); 1414 } 1415 1416 /* 1417 * smb_ads_negotiate_sec_layer 1418 * Call by smb_ads_bind() to negotiate additional security layer for further 1419 * communication after security context establishment. No additional security 1420 * is needed so a "no security layer" is negotiated. The security layer is 1421 * described in the SASL RFC 2478 and this step is needed for secure LDAP 1422 * binding. LDAP SASL bind is used to send and receive the GSS tokens to and 1423 * from the ADS server. 1424 * Please look at smb_ads_bind for more information. 1425 * 1426 * Paramters: 1427 * ah : handle to ADS server 1428 * gss_context: security context to ADS server 1429 * sercred : encrypted ADS server's supported security layers 1430 * Returns: 1431 * -1 : error 1432 * 0 : success 1433 */ 1434 static int 1435 smb_ads_negotiate_sec_layer(smb_ads_handle_t *ah, gss_ctx_id_t gss_context, 1436 struct berval *sercred) 1437 { 1438 OM_uint32 maj, min; 1439 gss_buffer_desc unwrap_inbuf, unwrap_outbuf; 1440 gss_buffer_desc wrap_inbuf, wrap_outbuf; 1441 int conf_state, sec_layer; 1442 char auth_id[5]; 1443 struct berval cred; 1444 int stat; 1445 gss_qop_t qt; 1446 1447 /* check for server supported security layer */ 1448 unwrap_inbuf.value = sercred->bv_val; 1449 unwrap_inbuf.length = sercred->bv_len; 1450 if ((maj = gss_unwrap(&min, gss_context, 1451 &unwrap_inbuf, &unwrap_outbuf, 1452 &conf_state, &qt)) != GSS_S_COMPLETE) { 1453 smb_ads_display_stat(maj, min); 1454 if (sercred) 1455 ber_bvfree(sercred); 1456 return (-1); 1457 } 1458 sec_layer = *((char *)unwrap_outbuf.value); 1459 (void) gss_release_buffer(&min, &unwrap_outbuf); 1460 if (!(sec_layer & 1)) { 1461 if (sercred) 1462 ber_bvfree(sercred); 1463 return (-1); 1464 } 1465 if (sercred) ber_bvfree(sercred); 1466 1467 /* no security layer needed after successful binding */ 1468 auth_id[0] = 0x01; 1469 1470 /* byte 2-4: max client recv size in network byte order */ 1471 auth_id[1] = 0x00; 1472 auth_id[2] = 0x40; 1473 auth_id[3] = 0x00; 1474 wrap_inbuf.value = auth_id; 1475 wrap_inbuf.length = 4; 1476 conf_state = 0; 1477 if ((maj = gss_wrap(&min, gss_context, conf_state, 0, &wrap_inbuf, 1478 &conf_state, &wrap_outbuf)) != GSS_S_COMPLETE) { 1479 smb_ads_display_stat(maj, min); 1480 return (-1); 1481 } 1482 1483 cred.bv_val = wrap_outbuf.value; 1484 cred.bv_len = wrap_outbuf.length; 1485 sercred = NULL; 1486 stat = ldap_sasl_bind_s(ah->ld, NULL, "GSSAPI", &cred, NULL, NULL, 1487 &sercred); 1488 if (stat != LDAP_SUCCESS && stat != LDAP_SASL_BIND_IN_PROGRESS) { 1489 syslog(LOG_NOTICE, "ldap_sasl_bind: %s", 1490 ldap_err2string(stat)); 1491 (void) gss_release_buffer(&min, &wrap_outbuf); 1492 return (-1); 1493 } 1494 1495 (void) gss_release_buffer(&min, &wrap_outbuf); 1496 if (sercred) 1497 ber_bvfree(sercred); 1498 1499 return (0); 1500 } 1501 1502 /* 1503 * smb_ads_bind 1504 * Use secure binding to bind to ADS server. 1505 * Use GSS-API with Kerberos 5 as the security mechanism and LDAP SASL with 1506 * Kerberos 5 as the security mechanisn to authenticate, obtain a security 1507 * context, and securely bind an administrative user so that other LDAP 1508 * commands can be used, i.e. add and delete. 1509 * 1510 * To obtain the security context, a Kerberos ticket-granting ticket (TGT) 1511 * for the user is needed to obtain a ticket for the LDAP service. To get 1512 * a TGT for the user, the username and password is needed. Once a TGT is 1513 * obtained then it will be stored locally and used until it is expired. 1514 * This routine will automatically obtained a TGT for the first time or when 1515 * it expired. LDAP SASL bind is then finally used to send GSS tokens to 1516 * obtain a security context for the LDAP service on the ADS server. If 1517 * there is any problem getting the security context then a new TGT will be 1518 * obtain to try getting the security context once more. 1519 * 1520 * After the security context is obtain and established, the LDAP SASL bind 1521 * is used to negotiate an additional security layer. No further security is 1522 * needed so a "no security layer" is negotiated. After this the security 1523 * context can be deleted and further LDAP commands can be sent to the ADS 1524 * server until a LDAP unbind command is issued to the ADS server. 1525 * Paramaters: 1526 * ah: handle to ADS server 1527 * Returns: 1528 * -1: error 1529 * 0: success 1530 */ 1531 static int 1532 smb_ads_bind(smb_ads_handle_t *ah) 1533 { 1534 OM_uint32 min; 1535 gss_cred_id_t cred_handle; 1536 gss_ctx_id_t gss_context; 1537 gss_OID oid; 1538 struct berval *sercred; 1539 int kinit_retry, do_acquire_cred; 1540 int rc = 0; 1541 1542 kinit_retry = 0; 1543 do_acquire_cred = 0; 1544 1545 acquire_cred: 1546 1547 if (smb_ads_acquire_cred(ah, &cred_handle, &oid, &kinit_retry)) 1548 return (-1); 1549 1550 if (smb_ads_establish_sec_context(ah, &gss_context, cred_handle, 1551 oid, &sercred, &kinit_retry, &do_acquire_cred)) { 1552 (void) gss_release_cred(&min, &cred_handle); 1553 if (do_acquire_cred) { 1554 do_acquire_cred = 0; 1555 goto acquire_cred; 1556 } 1557 return (-1); 1558 } 1559 rc = smb_ads_negotiate_sec_layer(ah, gss_context, sercred); 1560 1561 if (cred_handle != GSS_C_NO_CREDENTIAL) 1562 (void) gss_release_cred(&min, &cred_handle); 1563 (void) gss_delete_sec_context(&min, &gss_context, NULL); 1564 1565 return ((rc) ? -1 : 0); 1566 } 1567 1568 /* 1569 * smb_ads_add_share 1570 * Call by smb_ads_publish_share to create share object in ADS. 1571 * This routine specifies the attributes of an ADS LDAP share object. The first 1572 * attribute and values define the type of ADS object, the share object. The 1573 * second attribute and value define the UNC of the share data for the share 1574 * object. The LDAP synchronous add command is used to add the object into ADS. 1575 * The container location to add the object needs to specified. 1576 * Parameters: 1577 * ah : handle to ADS server 1578 * adsShareName: name of share object to be created in ADS 1579 * shareUNC : share name on NetForce 1580 * adsContainer: location in ADS to create share object 1581 * 1582 * Returns: 1583 * -1 : error 1584 * 0 : success 1585 */ 1586 int 1587 smb_ads_add_share(smb_ads_handle_t *ah, const char *adsShareName, 1588 const char *unc_name, const char *adsContainer) 1589 { 1590 LDAPMod *attrs[SMB_ADS_SHARE_NUM_ATTR]; 1591 int j = 0; 1592 char *share_dn; 1593 int len, ret; 1594 char *unc_names[] = {(char *)unc_name, NULL}; 1595 1596 len = 5 + strlen(adsShareName) + strlen(adsContainer) + 1597 strlen(ah->domain_dn) + 1; 1598 1599 share_dn = (char *)malloc(len); 1600 if (share_dn == NULL) 1601 return (-1); 1602 1603 (void) snprintf(share_dn, len, "cn=%s,%s,%s", adsShareName, 1604 adsContainer, ah->domain_dn); 1605 1606 if (smb_ads_alloc_attr(attrs, SMB_ADS_SHARE_NUM_ATTR) != 0) { 1607 free(share_dn); 1608 return (-1); 1609 } 1610 1611 attrs[j]->mod_op = LDAP_MOD_ADD; 1612 attrs[j]->mod_type = "objectClass"; 1613 attrs[j]->mod_values = smb_ads_share_objcls; 1614 1615 attrs[++j]->mod_op = LDAP_MOD_ADD; 1616 attrs[j]->mod_type = "uNCName"; 1617 attrs[j]->mod_values = unc_names; 1618 1619 if ((ret = ldap_add_s(ah->ld, share_dn, attrs)) != LDAP_SUCCESS) { 1620 smb_tracef("%s: ldap_add: %s", share_dn, ldap_err2string(ret)); 1621 smb_ads_free_attr(attrs); 1622 free(share_dn); 1623 return (ret); 1624 } 1625 free(share_dn); 1626 smb_ads_free_attr(attrs); 1627 1628 return (0); 1629 } 1630 1631 /* 1632 * smb_ads_del_share 1633 * Call by smb_ads_remove_share to remove share object from ADS. The container 1634 * location to remove the object needs to specified. The LDAP synchronous 1635 * delete command is used. 1636 * Parameters: 1637 * ah : handle to ADS server 1638 * adsShareName: name of share object in ADS to be removed 1639 * adsContainer: location of share object in ADS 1640 * Returns: 1641 * -1 : error 1642 * 0 : success 1643 */ 1644 static int 1645 smb_ads_del_share(smb_ads_handle_t *ah, const char *adsShareName, 1646 const char *adsContainer) 1647 { 1648 char *share_dn; 1649 int len, ret; 1650 1651 len = 5 + strlen(adsShareName) + strlen(adsContainer) + 1652 strlen(ah->domain_dn) + 1; 1653 1654 share_dn = (char *)malloc(len); 1655 if (share_dn == NULL) 1656 return (-1); 1657 1658 (void) snprintf(share_dn, len, "cn=%s,%s,%s", adsShareName, 1659 adsContainer, ah->domain_dn); 1660 if ((ret = ldap_delete_s(ah->ld, share_dn)) != LDAP_SUCCESS) { 1661 smb_tracef("ldap_delete: %s", ldap_err2string(ret)); 1662 free(share_dn); 1663 return (-1); 1664 } 1665 free(share_dn); 1666 1667 return (0); 1668 } 1669 1670 1671 /* 1672 * smb_ads_escape_search_filter_chars 1673 * 1674 * This routine will escape the special characters found in a string 1675 * that will later be passed to the ldap search filter. 1676 * 1677 * RFC 1960 - A String Representation of LDAP Search Filters 1678 * 3. String Search Filter Definition 1679 * If a value must contain one of the characters '*' OR '(' OR ')', 1680 * these characters 1681 * should be escaped by preceding them with the backslash '\' character. 1682 * 1683 * RFC 2252 - LDAP Attribute Syntax Definitions 1684 * a backslash quoting mechanism is used to escape 1685 * the following separator symbol character (such as "'", "$" or "#") if 1686 * it should occur in that string. 1687 */ 1688 static int 1689 smb_ads_escape_search_filter_chars(const char *src, char *dst) 1690 { 1691 int avail = SMB_ADS_MAXBUFLEN - 1; /* reserve a space for NULL char */ 1692 1693 if (src == NULL || dst == NULL) 1694 return (-1); 1695 1696 while (*src) { 1697 if (!avail) { 1698 *dst = 0; 1699 return (-1); 1700 } 1701 1702 switch (*src) { 1703 case '\\': 1704 case '\'': 1705 case '$': 1706 case '#': 1707 case '*': 1708 case '(': 1709 case ')': 1710 *dst++ = '\\'; 1711 avail--; 1712 /* fall through */ 1713 1714 default: 1715 *dst++ = *src++; 1716 avail--; 1717 } 1718 } 1719 1720 *dst = 0; 1721 1722 return (0); 1723 } 1724 1725 /* 1726 * smb_ads_lookup_share 1727 * The search filter is set to search for a specific share name in the 1728 * specified ADS container. The LDSAP synchronous search command is used. 1729 * Parameters: 1730 * ah : handle to ADS server 1731 * adsShareName: name of share object in ADS to be searched 1732 * adsContainer: location of share object in ADS 1733 * Returns: 1734 * -1 : error 1735 * 0 : not found 1736 * 1 : found 1737 */ 1738 int 1739 smb_ads_lookup_share(smb_ads_handle_t *ah, const char *adsShareName, 1740 const char *adsContainer, char *unc_name) 1741 { 1742 char *attrs[4], filter[SMB_ADS_MAXBUFLEN]; 1743 char *share_dn; 1744 int len, ret; 1745 LDAPMessage *res; 1746 char tmpbuf[SMB_ADS_MAXBUFLEN]; 1747 1748 if (adsShareName == NULL || adsContainer == NULL) 1749 return (-1); 1750 1751 len = 5 + strlen(adsShareName) + strlen(adsContainer) + 1752 strlen(ah->domain_dn) + 1; 1753 1754 share_dn = (char *)malloc(len); 1755 if (share_dn == NULL) 1756 return (-1); 1757 1758 (void) snprintf(share_dn, len, "cn=%s,%s,%s", adsShareName, 1759 adsContainer, ah->domain_dn); 1760 1761 res = NULL; 1762 attrs[0] = "cn"; 1763 attrs[1] = "objectClass"; 1764 attrs[2] = "uNCName"; 1765 attrs[3] = NULL; 1766 1767 if (smb_ads_escape_search_filter_chars(unc_name, tmpbuf) != 0) { 1768 free(share_dn); 1769 return (-1); 1770 } 1771 1772 (void) snprintf(filter, sizeof (filter), 1773 "(&(objectClass=volume)(uNCName=%s))", tmpbuf); 1774 1775 if ((ret = ldap_search_s(ah->ld, share_dn, 1776 LDAP_SCOPE_BASE, filter, attrs, 0, &res)) != LDAP_SUCCESS) { 1777 if (ret != LDAP_NO_SUCH_OBJECT) 1778 smb_tracef("%s: ldap_search: %s", share_dn, 1779 ldap_err2string(ret)); 1780 1781 (void) ldap_msgfree(res); 1782 free(share_dn); 1783 return (0); 1784 } 1785 1786 (void) free(share_dn); 1787 1788 /* no match is found */ 1789 if (ldap_count_entries(ah->ld, res) == 0) { 1790 (void) ldap_msgfree(res); 1791 return (0); 1792 } 1793 1794 /* free the search results */ 1795 (void) ldap_msgfree(res); 1796 1797 return (1); 1798 } 1799 1800 /* 1801 * smb_ads_publish_share 1802 * Publish share into ADS. If a share name already exist in ADS in the same 1803 * container then the existing share object is removed before adding the new 1804 * share object. 1805 * Parameters: 1806 * ah : handle return from smb_ads_open 1807 * adsShareName: name of share to be added to ADS directory 1808 * shareUNC : name of share on client, can be NULL to use the same name 1809 * as adsShareName 1810 * adsContainer: location for share to be added in ADS directory, ie 1811 * ou=share_folder 1812 * uncType : use UNC_HOSTNAME to use hostname for UNC, use UNC_HOSTADDR 1813 * to use host ip addr for UNC. 1814 * Returns: 1815 * -1 : error 1816 * 0 : success 1817 */ 1818 int 1819 smb_ads_publish_share(smb_ads_handle_t *ah, const char *adsShareName, 1820 const char *shareUNC, const char *adsContainer, const char *hostname) 1821 { 1822 int ret; 1823 char unc_name[SMB_ADS_MAXBUFLEN]; 1824 1825 if (adsShareName == NULL || adsContainer == NULL) 1826 return (-1); 1827 1828 if (shareUNC == 0 || *shareUNC == 0) 1829 shareUNC = adsShareName; 1830 1831 if (smb_ads_build_unc_name(unc_name, sizeof (unc_name), 1832 hostname, shareUNC) < 0) 1833 return (-1); 1834 1835 ret = smb_ads_lookup_share(ah, adsShareName, adsContainer, unc_name); 1836 1837 switch (ret) { 1838 case 1: 1839 (void) smb_ads_del_share(ah, adsShareName, adsContainer); 1840 ret = smb_ads_add_share(ah, adsShareName, unc_name, 1841 adsContainer); 1842 break; 1843 1844 case 0: 1845 ret = smb_ads_add_share(ah, adsShareName, unc_name, 1846 adsContainer); 1847 if (ret == LDAP_ALREADY_EXISTS) 1848 ret = -1; 1849 1850 break; 1851 1852 case -1: 1853 default: 1854 /* return with error code */ 1855 ret = -1; 1856 } 1857 1858 return (ret); 1859 } 1860 1861 /* 1862 * smb_ads_remove_share 1863 * Remove share from ADS. A search is done first before explicitly removing 1864 * the share. 1865 * Parameters: 1866 * ah : handle return from smb_ads_open 1867 * adsShareName: name of share to be removed from ADS directory 1868 * adsContainer: location for share to be removed from ADS directory, ie 1869 * ou=share_folder 1870 * Returns: 1871 * -1 : error 1872 * 0 : success 1873 */ 1874 int 1875 smb_ads_remove_share(smb_ads_handle_t *ah, const char *adsShareName, 1876 const char *shareUNC, const char *adsContainer, const char *hostname) 1877 { 1878 int ret; 1879 char unc_name[SMB_ADS_MAXBUFLEN]; 1880 1881 if (adsShareName == NULL || adsContainer == NULL) 1882 return (-1); 1883 if (shareUNC == 0 || *shareUNC == 0) 1884 shareUNC = adsShareName; 1885 1886 if (smb_ads_build_unc_name(unc_name, sizeof (unc_name), 1887 hostname, shareUNC) < 0) 1888 return (-1); 1889 1890 ret = smb_ads_lookup_share(ah, adsShareName, adsContainer, unc_name); 1891 if (ret == 0) 1892 return (0); 1893 if (ret == -1) 1894 return (-1); 1895 1896 return (smb_ads_del_share(ah, adsShareName, adsContainer)); 1897 } 1898 1899 /* 1900 * smb_ads_get_default_comp_container_dn 1901 * 1902 * Build the distinguished name for the default computer conatiner (i.e. the 1903 * pre-defined Computers container). 1904 */ 1905 static void 1906 smb_ads_get_default_comp_container_dn(smb_ads_handle_t *ah, char *buf, 1907 size_t buflen) 1908 { 1909 (void) snprintf(buf, buflen, "cn=%s,%s", SMB_ADS_COMPUTERS_CN, 1910 ah->domain_dn); 1911 } 1912 1913 /* 1914 * smb_ads_get_default_comp_dn 1915 * 1916 * Build the distinguished name for this system. 1917 */ 1918 static void 1919 smb_ads_get_default_comp_dn(smb_ads_handle_t *ah, char *buf, size_t buflen) 1920 { 1921 char nbname[NETBIOS_NAME_SZ]; 1922 char container_dn[SMB_ADS_DN_MAX]; 1923 1924 (void) smb_getnetbiosname(nbname, sizeof (nbname)); 1925 smb_ads_get_default_comp_container_dn(ah, container_dn, SMB_ADS_DN_MAX); 1926 (void) snprintf(buf, buflen, "cn=%s,%s", nbname, container_dn); 1927 } 1928 1929 /* 1930 * smb_ads_add_computer 1931 * 1932 * Returns 0 upon success. Otherwise, returns -1. 1933 */ 1934 static int 1935 smb_ads_add_computer(smb_ads_handle_t *ah, int dclevel, char *dn) 1936 { 1937 return (smb_ads_computer_op(ah, LDAP_MOD_ADD, dclevel, dn)); 1938 } 1939 1940 /* 1941 * smb_ads_modify_computer 1942 * 1943 * Returns 0 upon success. Otherwise, returns -1. 1944 */ 1945 static int 1946 smb_ads_modify_computer(smb_ads_handle_t *ah, int dclevel, char *dn) 1947 { 1948 return (smb_ads_computer_op(ah, LDAP_MOD_REPLACE, dclevel, dn)); 1949 } 1950 1951 /* 1952 * smb_ads_get_dc_level 1953 * 1954 * Returns the functional level of the DC upon success. 1955 * Otherwise, -1 is returned. 1956 */ 1957 static int 1958 smb_ads_get_dc_level(smb_ads_handle_t *ah) 1959 { 1960 LDAPMessage *res, *entry; 1961 char *attr[2]; 1962 char **vals; 1963 int rc = -1; 1964 1965 res = NULL; 1966 attr[0] = SMB_ADS_ATTR_DCLEVEL; 1967 attr[1] = NULL; 1968 if (ldap_search_s(ah->ld, "", LDAP_SCOPE_BASE, NULL, attr, 1969 0, &res) != LDAP_SUCCESS) { 1970 (void) ldap_msgfree(res); 1971 return (-1); 1972 } 1973 1974 /* no match for the specified attribute is found */ 1975 if (ldap_count_entries(ah->ld, res) == 0) { 1976 (void) ldap_msgfree(res); 1977 return (-1); 1978 } 1979 1980 entry = ldap_first_entry(ah->ld, res); 1981 if (entry) { 1982 if ((vals = ldap_get_values(ah->ld, entry, 1983 SMB_ADS_ATTR_DCLEVEL)) == NULL) { 1984 /* 1985 * Observed the values aren't populated 1986 * by the Windows 2000 server. 1987 */ 1988 (void) ldap_msgfree(res); 1989 return (SMB_ADS_DCLEVEL_W2K); 1990 } 1991 1992 if (vals[0] != NULL) 1993 rc = atoi(vals[0]); 1994 1995 ldap_value_free(vals); 1996 } 1997 1998 (void) ldap_msgfree(res); 1999 return (rc); 2000 } 2001 2002 static int 2003 smb_ads_getfqhostname(smb_ads_handle_t *ah, char *fqhost, int len) 2004 { 2005 if (smb_gethostname(fqhost, len, 0) != 0) 2006 return (-1); 2007 2008 (void) snprintf(fqhost, len, "%s.%s", fqhost, 2009 ah->domain); 2010 2011 return (0); 2012 } 2013 2014 static int 2015 smb_ads_computer_op(smb_ads_handle_t *ah, int op, int dclevel, char *dn) 2016 { 2017 LDAPMod *attrs[SMB_ADS_COMPUTER_NUM_ATTR]; 2018 char *sam_val[2], *usr_val[2]; 2019 char *spn_set[SMBKRB5_SPN_IDX_MAX + 1], *ctl_val[2], *fqh_val[2]; 2020 char *encrypt_val[2]; 2021 int j = -1; 2022 int ret, usrctl_flags = 0; 2023 char sam_acct[SMB_SAMACCT_MAXLEN]; 2024 char fqhost[MAXHOSTNAMELEN]; 2025 char *user_principal; 2026 char usrctl_buf[16]; 2027 char encrypt_buf[16]; 2028 int max; 2029 2030 if (smb_getsamaccount(sam_acct, sizeof (sam_acct)) != 0) 2031 return (-1); 2032 2033 if (smb_ads_getfqhostname(ah, fqhost, MAXHOSTNAMELEN)) 2034 return (-1); 2035 2036 if (smb_ads_get_spnset(fqhost, spn_set) != 0) 2037 return (-1); 2038 2039 /* 2040 * Windows 2008 DC expects the UPN attribute to be host/fqhn while 2041 * both Windows 2000 & 2003 expect it to be host/fqhn@realm. 2042 */ 2043 if (dclevel >= SMB_ADS_DCLEVEL_W2K8) 2044 user_principal = smb_krb5_get_spn(SMBKRB5_SPN_IDX_HOST, fqhost); 2045 else 2046 user_principal = smb_krb5_get_upn(spn_set[SMBKRB5_SPN_IDX_HOST], 2047 ah->domain); 2048 2049 if (user_principal == NULL) { 2050 smb_ads_free_spnset(spn_set); 2051 return (-1); 2052 } 2053 2054 max = (SMB_ADS_COMPUTER_NUM_ATTR - ((op != LDAP_MOD_ADD) ? 1 : 0)) 2055 - (dclevel >= SMB_ADS_DCLEVEL_W2K8 ? 0 : 1); 2056 2057 if (smb_ads_alloc_attr(attrs, max) != 0) { 2058 free(user_principal); 2059 smb_ads_free_spnset(spn_set); 2060 return (-1); 2061 } 2062 2063 /* objectClass attribute is not modifiable. */ 2064 if (op == LDAP_MOD_ADD) { 2065 attrs[++j]->mod_op = op; 2066 attrs[j]->mod_type = "objectClass"; 2067 attrs[j]->mod_values = smb_ads_computer_objcls; 2068 } 2069 2070 attrs[++j]->mod_op = op; 2071 attrs[j]->mod_type = SMB_ADS_ATTR_SAMACCT; 2072 sam_val[0] = sam_acct; 2073 sam_val[1] = 0; 2074 attrs[j]->mod_values = sam_val; 2075 2076 attrs[++j]->mod_op = op; 2077 attrs[j]->mod_type = SMB_ADS_ATTR_UPN; 2078 usr_val[0] = user_principal; 2079 usr_val[1] = 0; 2080 attrs[j]->mod_values = usr_val; 2081 2082 attrs[++j]->mod_op = op; 2083 attrs[j]->mod_type = SMB_ADS_ATTR_SPN; 2084 attrs[j]->mod_values = spn_set; 2085 2086 attrs[++j]->mod_op = op; 2087 attrs[j]->mod_type = SMB_ADS_ATTR_CTL; 2088 usrctl_flags |= (SMB_ADS_USER_ACCT_CTL_WKSTATION_TRUST_ACCT | 2089 SMB_ADS_USER_ACCT_CTL_PASSWD_NOTREQD | 2090 SMB_ADS_USER_ACCT_CTL_ACCOUNTDISABLE); 2091 (void) snprintf(usrctl_buf, sizeof (usrctl_buf), "%d", usrctl_flags); 2092 ctl_val[0] = usrctl_buf; 2093 ctl_val[1] = 0; 2094 attrs[j]->mod_values = ctl_val; 2095 2096 attrs[++j]->mod_op = op; 2097 attrs[j]->mod_type = SMB_ADS_ATTR_DNSHOST; 2098 fqh_val[0] = fqhost; 2099 fqh_val[1] = 0; 2100 attrs[j]->mod_values = fqh_val; 2101 2102 /* enctypes support starting in Windows Server 2008 */ 2103 if (dclevel > SMB_ADS_DCLEVEL_W2K3) { 2104 attrs[++j]->mod_op = op; 2105 attrs[j]->mod_type = SMB_ADS_ATTR_ENCTYPES; 2106 (void) snprintf(encrypt_buf, sizeof (encrypt_buf), "%d", 2107 SMB_ADS_ENC_AES256 + SMB_ADS_ENC_AES128 + SMB_ADS_ENC_RC4 + 2108 SMB_ADS_ENC_DES_MD5 + SMB_ADS_ENC_DES_CRC); 2109 encrypt_val[0] = encrypt_buf; 2110 encrypt_val[1] = 0; 2111 attrs[j]->mod_values = encrypt_val; 2112 } 2113 2114 switch (op) { 2115 case LDAP_MOD_ADD: 2116 if ((ret = ldap_add_s(ah->ld, dn, attrs)) != LDAP_SUCCESS) { 2117 syslog(LOG_NOTICE, "ldap_add: %s", 2118 ldap_err2string(ret)); 2119 ret = -1; 2120 } 2121 break; 2122 2123 case LDAP_MOD_REPLACE: 2124 if ((ret = ldap_modify_s(ah->ld, dn, attrs)) != LDAP_SUCCESS) { 2125 syslog(LOG_NOTICE, "ldap_modify: %s", 2126 ldap_err2string(ret)); 2127 ret = -1; 2128 } 2129 break; 2130 2131 default: 2132 ret = -1; 2133 2134 } 2135 2136 smb_ads_free_attr(attrs); 2137 free(user_principal); 2138 smb_ads_free_spnset(spn_set); 2139 2140 return (ret); 2141 } 2142 2143 /* 2144 * Delete an ADS computer account. 2145 */ 2146 static void 2147 smb_ads_del_computer(smb_ads_handle_t *ah, char *dn) 2148 { 2149 int rc; 2150 2151 if ((rc = ldap_delete_s(ah->ld, dn)) != LDAP_SUCCESS) 2152 smb_tracef("ldap_delete: %s", ldap_err2string(rc)); 2153 } 2154 2155 /* 2156 * Gets the value of the given attribute. 2157 */ 2158 static smb_ads_qstat_t 2159 smb_ads_getattr(LDAP *ld, LDAPMessage *entry, smb_ads_avpair_t *avpair) 2160 { 2161 char **vals; 2162 smb_ads_qstat_t rc = SMB_ADS_STAT_FOUND; 2163 2164 assert(avpair); 2165 avpair->avp_val = NULL; 2166 vals = ldap_get_values(ld, entry, avpair->avp_attr); 2167 if (!vals) 2168 return (SMB_ADS_STAT_NOT_FOUND); 2169 2170 if (!vals[0]) { 2171 ldap_value_free(vals); 2172 return (SMB_ADS_STAT_NOT_FOUND); 2173 } 2174 2175 avpair->avp_val = strdup(vals[0]); 2176 if (!avpair->avp_val) 2177 rc = SMB_ADS_STAT_ERR; 2178 2179 ldap_value_free(vals); 2180 return (rc); 2181 } 2182 2183 /* 2184 * Process query's result. 2185 */ 2186 static smb_ads_qstat_t 2187 smb_ads_get_qstat(smb_ads_handle_t *ah, LDAPMessage *res, 2188 smb_ads_avpair_t *avpair) 2189 { 2190 char fqhost[MAXHOSTNAMELEN]; 2191 smb_ads_avpair_t dnshost_avp; 2192 smb_ads_qstat_t rc = SMB_ADS_STAT_FOUND; 2193 LDAPMessage *entry; 2194 2195 if (smb_ads_getfqhostname(ah, fqhost, MAXHOSTNAMELEN)) 2196 return (SMB_ADS_STAT_ERR); 2197 2198 if (ldap_count_entries(ah->ld, res) == 0) 2199 return (SMB_ADS_STAT_NOT_FOUND); 2200 2201 if ((entry = ldap_first_entry(ah->ld, res)) == NULL) 2202 return (SMB_ADS_STAT_ERR); 2203 2204 dnshost_avp.avp_attr = SMB_ADS_ATTR_DNSHOST; 2205 rc = smb_ads_getattr(ah->ld, entry, &dnshost_avp); 2206 2207 switch (rc) { 2208 case SMB_ADS_STAT_FOUND: 2209 /* 2210 * Returns SMB_ADS_STAT_DUP to avoid overwriting 2211 * the computer account of another system whose 2212 * NetBIOS name collides with that of the current 2213 * system. 2214 */ 2215 if (strcasecmp(dnshost_avp.avp_val, fqhost)) 2216 rc = SMB_ADS_STAT_DUP; 2217 2218 free(dnshost_avp.avp_val); 2219 break; 2220 2221 case SMB_ADS_STAT_NOT_FOUND: 2222 /* 2223 * Pre-created computer account doesn't have 2224 * the dNSHostname attribute. It's been observed 2225 * that the dNSHostname attribute is only set after 2226 * a successful domain join. 2227 * Returns SMB_ADS_STAT_FOUND as the account is 2228 * pre-created for the current system. 2229 */ 2230 rc = SMB_ADS_STAT_FOUND; 2231 break; 2232 2233 default: 2234 break; 2235 } 2236 2237 if (rc != SMB_ADS_STAT_FOUND) 2238 return (rc); 2239 2240 if (avpair) 2241 rc = smb_ads_getattr(ah->ld, entry, avpair); 2242 2243 return (rc); 2244 2245 } 2246 2247 /* 2248 * smb_ads_lookup_computer_n_attr 2249 * 2250 * If avpair is NULL, checks the status of the specified computer account. 2251 * Otherwise, looks up the value of the specified computer account's attribute. 2252 * If found, the value field of the avpair will be allocated and set. The 2253 * caller should free the allocated buffer. 2254 * 2255 * Return: 2256 * SMB_ADS_STAT_FOUND - if both the computer and the specified attribute is 2257 * found. 2258 * SMB_ADS_STAT_NOT_FOUND - if either the computer or the specified attribute 2259 * is not found. 2260 * SMB_ADS_STAT_DUP - if the computer account is already used by other systems 2261 * in the AD. This could happen if the hostname of multiple 2262 * systems resolved to the same NetBIOS name. 2263 * SMB_ADS_STAT_ERR - any failure. 2264 */ 2265 static smb_ads_qstat_t 2266 smb_ads_lookup_computer_n_attr(smb_ads_handle_t *ah, smb_ads_avpair_t *avpair, 2267 int scope, char *dn) 2268 { 2269 char *attrs[3], filter[SMB_ADS_MAXBUFLEN]; 2270 LDAPMessage *res; 2271 char sam_acct[SMB_SAMACCT_MAXLEN], sam_acct2[SMB_SAMACCT_MAXLEN]; 2272 smb_ads_qstat_t rc; 2273 2274 if (smb_getsamaccount(sam_acct, sizeof (sam_acct)) != 0) 2275 return (SMB_ADS_STAT_ERR); 2276 2277 res = NULL; 2278 attrs[0] = SMB_ADS_ATTR_DNSHOST; 2279 attrs[1] = NULL; 2280 attrs[2] = NULL; 2281 2282 if (avpair) { 2283 if (!avpair->avp_attr) 2284 return (SMB_ADS_STAT_ERR); 2285 2286 attrs[1] = avpair->avp_attr; 2287 } 2288 2289 if (smb_ads_escape_search_filter_chars(sam_acct, sam_acct2) != 0) 2290 return (SMB_ADS_STAT_ERR); 2291 2292 (void) snprintf(filter, sizeof (filter), 2293 "(&(objectClass=computer)(%s=%s))", SMB_ADS_ATTR_SAMACCT, 2294 sam_acct2); 2295 2296 if (ldap_search_s(ah->ld, dn, scope, filter, attrs, 0, 2297 &res) != LDAP_SUCCESS) { 2298 (void) ldap_msgfree(res); 2299 return (SMB_ADS_STAT_NOT_FOUND); 2300 } 2301 2302 rc = smb_ads_get_qstat(ah, res, avpair); 2303 /* free the search results */ 2304 (void) ldap_msgfree(res); 2305 return (rc); 2306 } 2307 2308 /* 2309 * smb_ads_find_computer 2310 * 2311 * Starts by searching for the system's AD computer object in the default 2312 * container (i.e. cn=Computers). If not found, searches the entire directory. 2313 * If found, 'dn' will be set to the distinguished name of the system's AD 2314 * computer object. 2315 */ 2316 static smb_ads_qstat_t 2317 smb_ads_find_computer(smb_ads_handle_t *ah, char *dn) 2318 { 2319 smb_ads_qstat_t stat; 2320 smb_ads_avpair_t avpair; 2321 2322 avpair.avp_attr = SMB_ADS_ATTR_DN; 2323 smb_ads_get_default_comp_container_dn(ah, dn, SMB_ADS_DN_MAX); 2324 stat = smb_ads_lookup_computer_n_attr(ah, &avpair, LDAP_SCOPE_ONELEVEL, 2325 dn); 2326 2327 if (stat == SMB_ADS_STAT_NOT_FOUND) { 2328 (void) strlcpy(dn, ah->domain_dn, SMB_ADS_DN_MAX); 2329 stat = smb_ads_lookup_computer_n_attr(ah, &avpair, 2330 LDAP_SCOPE_SUBTREE, dn); 2331 } 2332 2333 if (stat == SMB_ADS_STAT_FOUND) { 2334 (void) strlcpy(dn, avpair.avp_val, SMB_ADS_DN_MAX); 2335 free(avpair.avp_val); 2336 } 2337 2338 return (stat); 2339 } 2340 2341 /* 2342 * smb_ads_update_computer_cntrl_attr 2343 * 2344 * Modify the user account control attribute of an existing computer 2345 * object on AD. 2346 * 2347 * Returns LDAP error code. 2348 */ 2349 static int 2350 smb_ads_update_computer_cntrl_attr(smb_ads_handle_t *ah, int flags, char *dn) 2351 { 2352 LDAPMod *attrs[2]; 2353 char *ctl_val[2]; 2354 int ret = 0; 2355 char usrctl_buf[16]; 2356 2357 if (smb_ads_alloc_attr(attrs, sizeof (attrs) / sizeof (LDAPMod *)) != 0) 2358 return (LDAP_NO_MEMORY); 2359 2360 attrs[0]->mod_op = LDAP_MOD_REPLACE; 2361 attrs[0]->mod_type = SMB_ADS_ATTR_CTL; 2362 2363 (void) snprintf(usrctl_buf, sizeof (usrctl_buf), "%d", flags); 2364 ctl_val[0] = usrctl_buf; 2365 ctl_val[1] = 0; 2366 attrs[0]->mod_values = ctl_val; 2367 if ((ret = ldap_modify_s(ah->ld, dn, attrs)) != LDAP_SUCCESS) { 2368 syslog(LOG_NOTICE, "ldap_modify: %s", ldap_err2string(ret)); 2369 } 2370 2371 smb_ads_free_attr(attrs); 2372 return (ret); 2373 } 2374 2375 /* 2376 * smb_ads_lookup_computer_attr_kvno 2377 * 2378 * Lookup the value of the Kerberos version number attribute of the computer 2379 * account. 2380 */ 2381 static krb5_kvno 2382 smb_ads_lookup_computer_attr_kvno(smb_ads_handle_t *ah, char *dn) 2383 { 2384 smb_ads_avpair_t avpair; 2385 int kvno = 1; 2386 2387 avpair.avp_attr = SMB_ADS_ATTR_KVNO; 2388 if (smb_ads_lookup_computer_n_attr(ah, &avpair, 2389 LDAP_SCOPE_BASE, dn) == SMB_ADS_STAT_FOUND) { 2390 kvno = atoi(avpair.avp_val); 2391 free(avpair.avp_val); 2392 } 2393 2394 return (kvno); 2395 } 2396 2397 /* 2398 * smb_ads_gen_machine_passwd 2399 * 2400 * Returned a null-terminated machine password generated randomly 2401 * from [0-9a-zA-Z] character set. In order to pass the password 2402 * quality check (three character classes), an uppercase letter is 2403 * used as the first character of the machine password. 2404 */ 2405 static void 2406 smb_ads_gen_machine_passwd(char *machine_passwd, int bufsz) 2407 { 2408 char *data = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJK" 2409 "LMNOPQRSTUVWXYZ"; 2410 int datalen = strlen(data); 2411 int i, data_idx; 2412 2413 assert(machine_passwd); 2414 assert(bufsz > 0); 2415 2416 /* 2417 * The decimal value of upper case 'A' is 65. Randomly pick 2418 * an upper-case letter from the ascii table. 2419 */ 2420 machine_passwd[0] = (random() % 26) + 65; 2421 for (i = 1; i < bufsz - 1; i++) { 2422 data_idx = random() % datalen; 2423 machine_passwd[i] = data[data_idx]; 2424 } 2425 2426 machine_passwd[bufsz - 1] = 0; 2427 } 2428 2429 /* 2430 * smb_ads_join 2431 * 2432 * Besides the NT-4 style domain join (using MS-RPC), CIFS server also 2433 * provides the domain join using Kerberos Authentication, Keberos 2434 * Change & Set password, and LDAP protocols. Basically, AD join 2435 * operation would require the following tickets to be acquired for the 2436 * the user account that is provided for the domain join. 2437 * 2438 * 1) a Keberos TGT ticket, 2439 * 2) a ldap service ticket, and 2440 * 3) kadmin/changpw service ticket 2441 * 2442 * The ADS client first sends a ldap search request to find out whether 2443 * or not the workstation trust account already exists in the Active Directory. 2444 * The existing computer object for this workstation will be removed and 2445 * a new one will be added. The machine account password is randomly 2446 * generated and set for the newly created computer object using KPASSWD 2447 * protocol (See RFC 3244). Once the password is set, our ADS client 2448 * finalizes the machine account by modifying the user acount control 2449 * attribute of the computer object. Kerberos keys derived from the machine 2450 * account password will be stored locally in /etc/krb5/krb5.keytab file. 2451 * That would be needed while acquiring Kerberos TGT ticket for the host 2452 * principal after the domain join operation. 2453 */ 2454 smb_adjoin_status_t 2455 smb_ads_join(char *domain, char *user, char *usr_passwd, char *machine_passwd, 2456 int len) 2457 { 2458 smb_ads_handle_t *ah = NULL; 2459 krb5_context ctx = NULL; 2460 krb5_principal krb5princs[SMBKRB5_SPN_IDX_MAX]; 2461 krb5_kvno kvno; 2462 boolean_t des_only, delete = B_TRUE; 2463 smb_adjoin_status_t rc = SMB_ADJOIN_SUCCESS; 2464 boolean_t new_acct; 2465 int dclevel, num, usrctl_flags = 0; 2466 smb_ads_qstat_t qstat; 2467 char dn[SMB_ADS_DN_MAX]; 2468 char *tmpfile; 2469 2470 /* 2471 * Call library functions that can be used to get 2472 * the list of encryption algorithms available on the system. 2473 * (similar to what 'encrypt -l' CLI does). For now, 2474 * unless someone has modified the configuration of the 2475 * cryptographic framework (very unlikely), the following is the 2476 * list of algorithms available on any system running Nevada 2477 * by default. 2478 */ 2479 krb5_enctype w2k8enctypes[] = {ENCTYPE_AES256_CTS_HMAC_SHA1_96, 2480 ENCTYPE_AES128_CTS_HMAC_SHA1_96, ENCTYPE_ARCFOUR_HMAC, 2481 ENCTYPE_DES_CBC_CRC, ENCTYPE_DES_CBC_MD5, 2482 }; 2483 2484 krb5_enctype pre_w2k8enctypes[] = {ENCTYPE_ARCFOUR_HMAC, 2485 ENCTYPE_DES_CBC_CRC, ENCTYPE_DES_CBC_MD5, 2486 }; 2487 2488 krb5_enctype *encptr; 2489 2490 if ((ah = smb_ads_open_main(domain, user, usr_passwd)) == NULL) { 2491 smb_ccache_remove(SMB_CCACHE_PATH); 2492 return (SMB_ADJOIN_ERR_GET_HANDLE); 2493 } 2494 2495 smb_ads_gen_machine_passwd(machine_passwd, len); 2496 2497 if ((dclevel = smb_ads_get_dc_level(ah)) == -1) { 2498 smb_ads_close(ah); 2499 smb_ccache_remove(SMB_CCACHE_PATH); 2500 return (SMB_ADJOIN_ERR_GET_DCLEVEL); 2501 } 2502 2503 qstat = smb_ads_find_computer(ah, dn); 2504 switch (qstat) { 2505 case SMB_ADS_STAT_FOUND: 2506 new_acct = B_FALSE; 2507 if (smb_ads_modify_computer(ah, dclevel, dn) != 0) { 2508 smb_ads_close(ah); 2509 smb_ccache_remove(SMB_CCACHE_PATH); 2510 return (SMB_ADJOIN_ERR_MOD_TRUST_ACCT); 2511 } 2512 break; 2513 2514 case SMB_ADS_STAT_NOT_FOUND: 2515 new_acct = B_TRUE; 2516 smb_ads_get_default_comp_dn(ah, dn, SMB_ADS_DN_MAX); 2517 if (smb_ads_add_computer(ah, dclevel, dn) != 0) { 2518 smb_ads_close(ah); 2519 smb_ccache_remove(SMB_CCACHE_PATH); 2520 return (SMB_ADJOIN_ERR_ADD_TRUST_ACCT); 2521 } 2522 break; 2523 2524 default: 2525 if (qstat == SMB_ADS_STAT_DUP) 2526 rc = SMB_ADJOIN_ERR_DUP_TRUST_ACCT; 2527 else 2528 rc = SMB_ADJOIN_ERR_TRUST_ACCT; 2529 smb_ads_close(ah); 2530 smb_ccache_remove(SMB_CCACHE_PATH); 2531 return (rc); 2532 } 2533 2534 des_only = B_FALSE; 2535 2536 if (smb_krb5_ctx_init(&ctx) != 0) { 2537 rc = SMB_ADJOIN_ERR_INIT_KRB_CTX; 2538 goto adjoin_cleanup; 2539 } 2540 2541 if (smb_krb5_get_principals(ah->domain, ctx, krb5princs) != 0) { 2542 rc = SMB_ADJOIN_ERR_GET_SPNS; 2543 goto adjoin_cleanup; 2544 } 2545 2546 if (smb_krb5_setpwd(ctx, krb5princs[SMBKRB5_SPN_IDX_HOST], 2547 machine_passwd) != 0) { 2548 rc = SMB_ADJOIN_ERR_KSETPWD; 2549 goto adjoin_cleanup; 2550 } 2551 2552 kvno = smb_ads_lookup_computer_attr_kvno(ah, dn); 2553 2554 /* 2555 * Only members of Domain Admins and Enterprise Admins can set 2556 * the TRUSTED_FOR_DELEGATION userAccountControl flag. 2557 */ 2558 if (smb_ads_update_computer_cntrl_attr(ah, 2559 SMB_ADS_USER_ACCT_CTL_TRUSTED_FOR_DELEGATION, dn) 2560 == LDAP_INSUFFICIENT_ACCESS) { 2561 usrctl_flags |= (SMB_ADS_USER_ACCT_CTL_WKSTATION_TRUST_ACCT | 2562 SMB_ADS_USER_ACCT_CTL_DONT_EXPIRE_PASSWD); 2563 2564 syslog(LOG_NOTICE, "Unable to set the " 2565 "TRUSTED_FOR_DELEGATION userAccountControl flag on " 2566 "the machine account in Active Directory. Please refer " 2567 "to the Troubleshooting guide for more information."); 2568 2569 } else { 2570 usrctl_flags |= (SMB_ADS_USER_ACCT_CTL_WKSTATION_TRUST_ACCT | 2571 SMB_ADS_USER_ACCT_CTL_TRUSTED_FOR_DELEGATION | 2572 SMB_ADS_USER_ACCT_CTL_DONT_EXPIRE_PASSWD); 2573 } 2574 2575 if (des_only) 2576 usrctl_flags |= SMB_ADS_USER_ACCT_CTL_USE_DES_KEY_ONLY; 2577 2578 if (smb_ads_update_computer_cntrl_attr(ah, usrctl_flags, dn) 2579 != 0) { 2580 rc = SMB_ADJOIN_ERR_UPDATE_CNTRL_ATTR; 2581 goto adjoin_cleanup; 2582 } 2583 2584 if (dclevel >= SMB_ADS_DCLEVEL_W2K8) { 2585 num = sizeof (w2k8enctypes) / sizeof (krb5_enctype); 2586 encptr = w2k8enctypes; 2587 } else { 2588 num = sizeof (pre_w2k8enctypes) / sizeof (krb5_enctype); 2589 encptr = pre_w2k8enctypes; 2590 } 2591 2592 tmpfile = mktemp(SMBNS_KRB5_KEYTAB_TMP); 2593 if (tmpfile == NULL) 2594 tmpfile = SMBNS_KRB5_KEYTAB_TMP; 2595 2596 if (smb_krb5_add_keytab_entries(ctx, krb5princs, tmpfile, 2597 kvno, machine_passwd, encptr, num) != 0) { 2598 rc = SMB_ADJOIN_ERR_WRITE_KEYTAB; 2599 goto adjoin_cleanup; 2600 } 2601 2602 delete = B_FALSE; 2603 adjoin_cleanup: 2604 if (new_acct && delete) 2605 smb_ads_del_computer(ah, dn); 2606 2607 if (rc != SMB_ADJOIN_ERR_INIT_KRB_CTX) { 2608 if (rc != SMB_ADJOIN_ERR_GET_SPNS) 2609 smb_krb5_free_principals(ctx, krb5princs, 2610 SMBKRB5_SPN_IDX_MAX); 2611 smb_krb5_ctx_fini(ctx); 2612 } 2613 2614 /* commit keytab file */ 2615 if (rc == SMB_ADJOIN_SUCCESS) { 2616 if (rename(tmpfile, SMBNS_KRB5_KEYTAB) != 0) { 2617 (void) unlink(tmpfile); 2618 rc = SMB_ADJOIN_ERR_COMMIT_KEYTAB; 2619 } else { 2620 /* Set IDMAP config */ 2621 if (smb_config_set_idmap_domain(ah->domain) != 0) { 2622 rc = SMB_ADJOIN_ERR_IDMAP_SET_DOMAIN; 2623 } else { 2624 2625 /* Refresh IDMAP service */ 2626 if (smb_config_refresh_idmap() != 0) 2627 rc = SMB_ADJOIN_ERR_IDMAP_REFRESH; 2628 } 2629 } 2630 } else { 2631 (void) unlink(tmpfile); 2632 } 2633 2634 smb_ads_close(ah); 2635 smb_ccache_remove(SMB_CCACHE_PATH); 2636 return (rc); 2637 } 2638 2639 /* 2640 * smb_ads_join_errmsg 2641 * 2642 * Display error message for the specific adjoin error code. 2643 */ 2644 void 2645 smb_ads_join_errmsg(smb_adjoin_status_t status) 2646 { 2647 int i; 2648 struct xlate_table { 2649 smb_adjoin_status_t status; 2650 char *msg; 2651 } adjoin_table[] = { 2652 { SMB_ADJOIN_ERR_GET_HANDLE, "Failed to connect to an " 2653 "Active Directory server." }, 2654 { SMB_ADJOIN_ERR_GET_DCLEVEL, "Unknown functional level of " 2655 "the domain controller. The rootDSE attribute named " 2656 "\"domainControllerFunctionality\" is missing from the " 2657 "Active Directory." }, 2658 { SMB_ADJOIN_ERR_ADD_TRUST_ACCT, "Failed to create the " 2659 "workstation trust account." }, 2660 { SMB_ADJOIN_ERR_MOD_TRUST_ACCT, "Failed to modify the " 2661 "workstation trust account." }, 2662 { SMB_ADJOIN_ERR_DUP_TRUST_ACCT, "Failed to create the " 2663 "workstation trust account because its name is already " 2664 "in use." }, 2665 { SMB_ADJOIN_ERR_TRUST_ACCT, "Error in querying the " 2666 "workstation trust account" }, 2667 { SMB_ADJOIN_ERR_INIT_KRB_CTX, "Failed to initialize Kerberos " 2668 "context." }, 2669 { SMB_ADJOIN_ERR_GET_SPNS, "Failed to get Kerberos " 2670 "principals." }, 2671 { SMB_ADJOIN_ERR_KSETPWD, "Failed to set machine password." }, 2672 { SMB_ADJOIN_ERR_UPDATE_CNTRL_ATTR, "Failed to modify " 2673 "userAccountControl attribute of the workstation trust " 2674 "account." }, 2675 { SMB_ADJOIN_ERR_WRITE_KEYTAB, "Error in writing to local " 2676 "keytab file (i.e /etc/krb5/krb5.keytab)." }, 2677 { SMB_ADJOIN_ERR_IDMAP_SET_DOMAIN, "Failed to update idmap " 2678 "configuration." }, 2679 { SMB_ADJOIN_ERR_IDMAP_REFRESH, "Failed to refresh idmap " 2680 "service." }, 2681 { SMB_ADJOIN_ERR_COMMIT_KEYTAB, "Failed to commit changes to " 2682 "local keytab file (i.e. /etc/krb5/krb5.keytab)." } 2683 }; 2684 2685 for (i = 0; i < sizeof (adjoin_table) / sizeof (adjoin_table[0]); i++) { 2686 if (adjoin_table[i].status == status) 2687 syslog(LOG_NOTICE, "%s", adjoin_table[i].msg); 2688 } 2689 } 2690 2691 /* 2692 * smb_ads_match_pdc 2693 * 2694 * Returns B_TRUE if the given host's IP address matches the preferred DC's 2695 * IP address. Otherwise, returns B_FALSE. 2696 */ 2697 static boolean_t 2698 smb_ads_match_pdc(smb_ads_host_info_t *host) 2699 { 2700 boolean_t match = B_FALSE; 2701 2702 if (!host) 2703 return (match); 2704 2705 (void) mutex_lock(&smb_ads_cfg.c_mtx); 2706 if (smb_inet_equal(&host->ipaddr, &smb_ads_cfg.c_pdc)) 2707 match = B_TRUE; 2708 (void) mutex_unlock(&smb_ads_cfg.c_mtx); 2709 2710 return (match); 2711 } 2712 2713 /* 2714 * smb_ads_select_dcfromsubnet 2715 * 2716 * This method walks the list of DCs and returns the first DC record that 2717 * responds to ldap ping and is in the same subnet as the host. 2718 * 2719 * Returns a pointer to the found DC record. 2720 * Returns NULL, on error or if no DC record is found. 2721 */ 2722 static smb_ads_host_info_t * 2723 smb_ads_select_dcfromsubnet(smb_ads_host_list_t *hlist) 2724 { 2725 smb_ads_host_info_t *hentry; 2726 smb_nic_t *lnic; 2727 smb_niciter_t ni; 2728 size_t cnt; 2729 int i; 2730 2731 if (smb_nic_getfirst(&ni) != 0) 2732 return (NULL); 2733 do { 2734 lnic = &ni.ni_nic; 2735 cnt = hlist->ah_cnt; 2736 2737 for (i = 0; i < cnt; i++) { 2738 hentry = &hlist->ah_list[i]; 2739 if ((hentry->ipaddr.a_family == AF_INET) && 2740 (lnic->nic_ip.a_family == AF_INET)) { 2741 if ((hentry->ipaddr.a_ipv4 & 2742 lnic->nic_mask) == 2743 (lnic->nic_ip.a_ipv4 & 2744 lnic->nic_mask)) 2745 if (smb_ads_ldap_ping(hentry) == 0) 2746 return (hentry); 2747 } 2748 } 2749 } while (smb_nic_getnext(&ni) == 0); 2750 2751 return (NULL); 2752 } 2753 2754 /* 2755 * smb_ads_select_dcfromlist 2756 * 2757 * This method walks the list of DCs and returns the first DC that 2758 * responds to ldap ping. 2759 * 2760 * Returns a pointer to the found DC record. 2761 * Returns NULL if no DC record is found. 2762 */ 2763 static smb_ads_host_info_t * 2764 smb_ads_select_dcfromlist(smb_ads_host_list_t *hlist) 2765 { 2766 smb_ads_host_info_t *hentry; 2767 size_t cnt; 2768 int i; 2769 2770 cnt = hlist->ah_cnt; 2771 for (i = 0; i < cnt; i++) { 2772 hentry = &hlist->ah_list[i]; 2773 if (smb_ads_ldap_ping(hentry) == 0) 2774 return (hentry); 2775 } 2776 2777 return (NULL); 2778 } 2779 2780 /* 2781 * smb_ads_dc_compare 2782 * 2783 * Comparision function for sorting host entries (SRV records of DC) via qsort. 2784 * RFC 2052/2782 are taken as reference, while implementing this algorithm. 2785 * 2786 * Domain Controllers(DCs) with lowest priority in their SRV DNS records 2787 * are selected first. If they have equal priorities, then DC with highest 2788 * weight in its SRV DNS record is selected. If the priority and weight are 2789 * both equal, then the DC at the top of the list is selected. 2790 */ 2791 static int 2792 smb_ads_dc_compare(const void *p, const void *q) 2793 { 2794 smb_ads_host_info_t *h1 = (smb_ads_host_info_t *)p; 2795 smb_ads_host_info_t *h2 = (smb_ads_host_info_t *)q; 2796 2797 if (h1->priority < h2->priority) 2798 return (-1); 2799 if (h1->priority > h2->priority) 2800 return (1); 2801 2802 /* Priorities are equal */ 2803 if (h1->weight < h2->weight) 2804 return (1); 2805 if (h1->weight > h2->weight) 2806 return (-1); 2807 2808 return (0); 2809 } 2810 2811 /* 2812 * smb_ads_select_dc 2813 * 2814 * The list of ADS hosts returned by ADS lookup, is sorted by lowest priority 2815 * and highest weight. On this sorted list, following additional rules are 2816 * applied, to select a DC. 2817 * 2818 * - If there is a DC in the same subnet, then return the DC, 2819 * if it responds to ldap ping. 2820 * - Else, return first DC that responds to ldap ping. 2821 * 2822 * A reference to the host entry from input host list is returned. 2823 * 2824 * Returns NULL on error. 2825 */ 2826 static smb_ads_host_info_t * 2827 smb_ads_select_dc(smb_ads_host_list_t *hlist) 2828 { 2829 smb_ads_host_info_t *hentry = NULL; 2830 2831 if (hlist->ah_cnt == 0) 2832 return (NULL); 2833 2834 if (hlist->ah_cnt == 1) { 2835 hentry = hlist->ah_list; 2836 if (smb_ads_ldap_ping(hentry) == 0) 2837 return (hentry); 2838 } 2839 2840 /* Sort the list by priority and weight */ 2841 qsort(hlist->ah_list, hlist->ah_cnt, 2842 sizeof (smb_ads_host_info_t), smb_ads_dc_compare); 2843 2844 if ((hentry = smb_ads_select_dcfromsubnet(hlist)) != NULL) 2845 return (hentry); 2846 2847 if ((hentry = smb_ads_select_dcfromlist(hlist)) != NULL) 2848 return (hentry); 2849 2850 return (NULL); 2851 } 2852 2853 /* 2854 * smb_ads_lookup_msdcs 2855 * 2856 * If server argument is set, try to locate the specified DC. 2857 * If it is set to empty string, locate any DCs in the specified domain. 2858 * Returns the discovered DC via buf. 2859 * 2860 * fqdn - fully-qualified domain name 2861 * server - fully-qualifed hostname of a DC 2862 * buf - the hostname of the discovered DC 2863 */ 2864 boolean_t 2865 smb_ads_lookup_msdcs(char *fqdn, char *server, char *buf, uint32_t buflen) 2866 { 2867 smb_ads_host_info_t *hinfo = NULL; 2868 char *p; 2869 char *sought_host; 2870 char ipstr[INET6_ADDRSTRLEN]; 2871 2872 if (!fqdn || !buf) 2873 return (B_FALSE); 2874 2875 ipstr[0] = '\0'; 2876 *buf = '\0'; 2877 sought_host = (*server == 0 ? NULL : server); 2878 if ((hinfo = smb_ads_find_host(fqdn, sought_host)) == NULL) 2879 return (B_FALSE); 2880 2881 (void) smb_inet_ntop(&hinfo->ipaddr, ipstr, 2882 SMB_IPSTRLEN(hinfo->ipaddr.a_family)); 2883 smb_tracef("msdcsLookupADS: %s [%s]", hinfo->name, ipstr); 2884 2885 (void) strlcpy(buf, hinfo->name, buflen); 2886 /* 2887 * Remove the domain extension 2888 */ 2889 if ((p = strchr(buf, '.')) != 0) 2890 *p = '\0'; 2891 2892 free(hinfo); 2893 return (B_TRUE); 2894 } 2895