net ads cldap functions
Copyright (C) 2001 Andrew Tridgell (tridge@samba.org)
Copyright (C) 2003 Jim McDonough (jmcd@us.ibm.com)
+ Copyright (C) 2008 Guenther Deschner (gd@samba.org)
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
- the Free Software Foundation; either version 2 of the License, or
+ the Free Software Foundation; either version 3 of the License, or
(at your option) any later version.
-
+
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
-
+
You should have received a copy of the GNU General Public License
- along with this program; if not, write to the Free Software
- Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#include "includes.h"
-/*
- These seem to be strings as described in RFC1035 4.1.4 and can be:
-
- - a sequence of labels ending in a zero octet
- - a pointer
- - a sequence of labels ending with a pointer
-
- A label is a byte where the first two bits must be zero and the remaining
- bits represent the length of the label followed by the label itself.
- Therefore, the length of a label is at max 64 bytes. Under RFC1035, a
- sequence of labels cannot exceed 255 bytes.
-
- A pointer consists of a 14 bit offset from the beginning of the data.
-
- struct ptr {
- unsigned ident:2; // must be 11
- unsigned offset:14; // from the beginning of data
- };
-
- This is used as a method to compress the packet by eliminated duplicate
- domain components. Since a UDP packet should probably be < 512 bytes and a
- DNS name can be up to 255 bytes, this actually makes a lot of sense.
-*/
-static unsigned pull_netlogon_string(char *ret, const char *ptr,
- const char *data)
-{
- char *pret = ret;
- int followed_ptr = 0;
- unsigned ret_len = 0;
-
- memset(pret, 0, MAX_DNS_LABEL);
- do {
- if ((*ptr & 0xc0) == 0xc0) {
- uint16 len;
-
- if (!followed_ptr) {
- ret_len += 2;
- followed_ptr = 1;
- }
- len = ((ptr[0] & 0x3f) << 8) | ptr[1];
- ptr = data + len;
- } else if (*ptr) {
- uint8 len = (uint8)*(ptr++);
-
- if ((pret - ret + len + 1) >= MAX_DNS_LABEL) {
- DEBUG(1,("DC returning too long DNS name\n"));
- return 0;
- }
-
- if (pret != ret) {
- *pret = '.';
- pret++;
- }
- memcpy(pret, ptr, len);
- pret += len;
- ptr += len;
-
- if (!followed_ptr) {
- ret_len += (len + 1);
- }
- }
- } while (*ptr);
-
- return followed_ptr ? ret_len : ret_len + 1;
-}
-
/*
do a cldap netlogon query
*/
-static int send_cldap_netlogon(int sock, const char *domain,
+static int send_cldap_netlogon(TALLOC_CTX *mem_ctx, int sock, const char *domain,
const char *hostname, unsigned ntversion)
{
- ASN1_DATA data;
+ ASN1_DATA *data;
char ntver[4];
#ifdef CLDAP_USER_QUERY
char aac[4];
#endif
SIVAL(ntver, 0, ntversion);
- memset(&data, 0, sizeof(data));
+ data = asn1_init(mem_ctx);
+ if (data == NULL) {
+ return -1;
+ }
- asn1_push_tag(&data,ASN1_SEQUENCE(0));
- asn1_write_Integer(&data, 4);
- asn1_push_tag(&data, ASN1_APPLICATION(3));
- asn1_write_OctetString(&data, NULL, 0);
- asn1_write_enumerated(&data, 0);
- asn1_write_enumerated(&data, 0);
- asn1_write_Integer(&data, 0);
- asn1_write_Integer(&data, 0);
- asn1_write_BOOLEAN2(&data, False);
- asn1_push_tag(&data, ASN1_CONTEXT(0));
+ asn1_push_tag(data,ASN1_SEQUENCE(0));
+ asn1_write_Integer(data, 4);
+ asn1_push_tag(data, ASN1_APPLICATION(3));
+ asn1_write_OctetString(data, NULL, 0);
+ asn1_write_enumerated(data, 0);
+ asn1_write_enumerated(data, 0);
+ asn1_write_Integer(data, 0);
+ asn1_write_Integer(data, 0);
+ asn1_write_BOOLEAN(data, False);
+ asn1_push_tag(data, ASN1_CONTEXT(0));
if (domain) {
- asn1_push_tag(&data, ASN1_CONTEXT(3));
- asn1_write_OctetString(&data, "DnsDomain", 9);
- asn1_write_OctetString(&data, domain, strlen(domain));
- asn1_pop_tag(&data);
+ asn1_push_tag(data, ASN1_CONTEXT(3));
+ asn1_write_OctetString(data, "DnsDomain", 9);
+ asn1_write_OctetString(data, domain, strlen(domain));
+ asn1_pop_tag(data);
}
- asn1_push_tag(&data, ASN1_CONTEXT(3));
- asn1_write_OctetString(&data, "Host", 4);
- asn1_write_OctetString(&data, hostname, strlen(hostname));
- asn1_pop_tag(&data);
+ asn1_push_tag(data, ASN1_CONTEXT(3));
+ asn1_write_OctetString(data, "Host", 4);
+ asn1_write_OctetString(data, hostname, strlen(hostname));
+ asn1_pop_tag(data);
#ifdef CLDAP_USER_QUERY
- asn1_push_tag(&data, ASN1_CONTEXT(3));
- asn1_write_OctetString(&data, "User", 4);
- asn1_write_OctetString(&data, "SAMBA$", 6);
- asn1_pop_tag(&data);
-
- asn1_push_tag(&data, ASN1_CONTEXT(3));
- asn1_write_OctetString(&data, "AAC", 4);
- asn1_write_OctetString(&data, aac, 4);
- asn1_pop_tag(&data);
+ asn1_push_tag(data, ASN1_CONTEXT(3));
+ asn1_write_OctetString(data, "User", 4);
+ asn1_write_OctetString(data, "SAMBA$", 6);
+ asn1_pop_tag(data);
+
+ asn1_push_tag(data, ASN1_CONTEXT(3));
+ asn1_write_OctetString(data, "AAC", 4);
+ asn1_write_OctetString(data, aac, 4);
+ asn1_pop_tag(data);
#endif
- asn1_push_tag(&data, ASN1_CONTEXT(3));
- asn1_write_OctetString(&data, "NtVer", 5);
- asn1_write_OctetString(&data, ntver, 4);
- asn1_pop_tag(&data);
+ asn1_push_tag(data, ASN1_CONTEXT(3));
+ asn1_write_OctetString(data, "NtVer", 5);
+ asn1_write_OctetString(data, ntver, 4);
+ asn1_pop_tag(data);
- asn1_pop_tag(&data);
+ asn1_pop_tag(data);
- asn1_push_tag(&data,ASN1_SEQUENCE(0));
- asn1_write_OctetString(&data, "NetLogon", 8);
- asn1_pop_tag(&data);
- asn1_pop_tag(&data);
- asn1_pop_tag(&data);
+ asn1_push_tag(data,ASN1_SEQUENCE(0));
+ asn1_write_OctetString(data, "NetLogon", 8);
+ asn1_pop_tag(data);
+ asn1_pop_tag(data);
+ asn1_pop_tag(data);
- if (data.has_error) {
- DEBUG(2,("Failed to build cldap netlogon at offset %d\n", (int)data.ofs));
- asn1_free(&data);
+ if (data->has_error) {
+ DEBUG(2,("Failed to build cldap netlogon at offset %d\n", (int)data->ofs));
+ asn1_free(data);
return -1;
}
- if (write(sock, data.data, data.length) != (ssize_t)data.length) {
+ if (write(sock, data->data, data->length) != (ssize_t)data->length) {
DEBUG(2,("failed to send cldap query (%s)\n", strerror(errno)));
+ asn1_free(data);
+ return -1;
}
- asn1_free(&data);
+ asn1_free(data);
return 0;
}
-static SIG_ATOMIC_T gotalarm;
-
-/***************************************************************
- Signal function to tell us we timed out.
-****************************************************************/
-
-static void gotalarm_sig(void)
-{
- gotalarm = 1;
-}
-
/*
receive a cldap netlogon reply
*/
-static int recv_cldap_netlogon(int sock, struct cldap_netlogon_reply *reply)
+static int recv_cldap_netlogon(TALLOC_CTX *mem_ctx,
+ int sock,
+ uint32_t nt_version,
+ struct netlogon_samlogon_response **reply)
{
int ret;
- ASN1_DATA data;
- DATA_BLOB blob;
- DATA_BLOB os1, os2, os3;
+ ASN1_DATA *data;
+ DATA_BLOB blob = data_blob_null;
+ DATA_BLOB os1 = data_blob_null;
+ DATA_BLOB os2 = data_blob_null;
+ DATA_BLOB os3 = data_blob_null;
int i1;
- char *p;
+ struct netlogon_samlogon_response *r = NULL;
+ NTSTATUS status;
+
+ fd_set r_fds;
+ struct timeval timeout;
blob = data_blob(NULL, 8192);
if (blob.data == NULL) {
return -1;
}
- /* Setup timeout */
- gotalarm = 0;
- CatchSignal(SIGALRM, SIGNAL_CAST gotalarm_sig);
- alarm(lp_ldap_timeout());
- /* End setup timeout. */
-
- ret = read(sock, blob.data, blob.length);
+ if (sock < 0 || sock >= FD_SETSIZE) {
+ errno = EBADF;
+ return -1;
+ }
- /* Teardown timeout. */
- CatchSignal(SIGALRM, SIGNAL_CAST SIG_IGN);
- alarm(0);
+ FD_ZERO(&r_fds);
+ FD_SET(sock, &r_fds);
- if (ret <= 0) {
- DEBUG(1,("no reply received to cldap netlogon\n"));
+ /*
+ * half the time of a regular ldap timeout, not less than 3 seconds.
+ */
+ timeout.tv_sec = MAX(3,lp_ldap_timeout()/2);
+ timeout.tv_usec = 0;
+
+ ret = sys_select(sock+1, &r_fds, NULL, NULL, &timeout);
+ if (ret == -1) {
+ DEBUG(10, ("select failed: %s\n", strerror(errno)));
data_blob_free(&blob);
return -1;
}
- blob.length = ret;
- asn1_load(&data, blob);
- asn1_start_tag(&data, ASN1_SEQUENCE(0));
- asn1_read_Integer(&data, &i1);
- asn1_start_tag(&data, ASN1_APPLICATION(4));
- asn1_read_OctetString(&data, &os1);
- asn1_start_tag(&data, ASN1_SEQUENCE(0));
- asn1_start_tag(&data, ASN1_SEQUENCE(0));
- asn1_read_OctetString(&data, &os2);
- asn1_start_tag(&data, ASN1_SET);
- asn1_read_OctetString(&data, &os3);
- asn1_end_tag(&data);
- asn1_end_tag(&data);
- asn1_end_tag(&data);
- asn1_end_tag(&data);
- asn1_end_tag(&data);
-
- if (data.has_error) {
+ if (ret == 0) {
+ DEBUG(1,("no reply received to cldap netlogon "
+ "(select timeout %u sec)\n",
+ (unsigned int)timeout.tv_sec));
data_blob_free(&blob);
- asn1_free(&data);
- DEBUG(1,("Failed to parse cldap reply\n"));
return -1;
}
- p = (char *)os3.data;
-
- reply->type = IVAL(p, 0); p += 4;
- reply->flags = IVAL(p, 0); p += 4;
+ ret = read(sock, blob.data, blob.length);
+ if (ret <= 0) {
+ DEBUG(1,("no reply received to cldap netlogon "
+ "(ret = %d: Error = %s)\n",
+ ret,
+ ret == -1 ? strerror(errno) : "" ));
+ data_blob_free(&blob);
+ return -1;
+ }
+ blob.length = ret;
- memcpy(&reply->guid.info, p, UUID_FLAT_SIZE);
- p += UUID_FLAT_SIZE;
+ data = asn1_init(mem_ctx);
+ if (data == NULL) {
+ data_blob_free(&blob);
+ return -1;
+ }
- p += pull_netlogon_string(reply->forest, p, (const char *)os3.data);
- p += pull_netlogon_string(reply->domain, p, (const char *)os3.data);
- p += pull_netlogon_string(reply->hostname, p, (const char *)os3.data);
- p += pull_netlogon_string(reply->netbios_domain, p, (const char *)os3.data);
- p += pull_netlogon_string(reply->netbios_hostname, p, (const char *)os3.data);
- p += pull_netlogon_string(reply->unk, p, (const char *)os3.data);
+ asn1_load(data, blob);
+ asn1_start_tag(data, ASN1_SEQUENCE(0));
+ asn1_read_Integer(data, &i1);
+ asn1_start_tag(data, ASN1_APPLICATION(4));
+ asn1_read_OctetString(data, NULL, &os1);
+ asn1_start_tag(data, ASN1_SEQUENCE(0));
+ asn1_start_tag(data, ASN1_SEQUENCE(0));
+ asn1_read_OctetString(data, NULL, &os2);
+ asn1_start_tag(data, ASN1_SET);
+ asn1_read_OctetString(data, NULL, &os3);
+ asn1_end_tag(data);
+ asn1_end_tag(data);
+ asn1_end_tag(data);
+ asn1_end_tag(data);
+ asn1_end_tag(data);
+
+ if (data->has_error) {
+ data_blob_free(&blob);
+ data_blob_free(&os1);
+ data_blob_free(&os2);
+ data_blob_free(&os3);
+ asn1_free(data);
+ DEBUG(1,("Failed to parse cldap reply\n"));
+ return -1;
+ }
- if (reply->type == SAMLOGON_AD_R) {
- p += pull_netlogon_string(reply->user_name, p, (const char *)os3.data);
- } else {
- *reply->user_name = 0;
+ r = TALLOC_ZERO_P(mem_ctx, struct netlogon_samlogon_response);
+ if (!r) {
+ errno = ENOMEM;
+ data_blob_free(&os1);
+ data_blob_free(&os2);
+ data_blob_free(&os3);
+ data_blob_free(&blob);
+ asn1_free(data);
+ return -1;
}
- p += pull_netlogon_string(reply->server_site_name, p, (const char *)os3.data);
- p += pull_netlogon_string(reply->client_site_name, p, (const char *)os3.data);
+ status = pull_netlogon_samlogon_response(&os3, mem_ctx, NULL, r);
+ if (!NT_STATUS_IS_OK(status)) {
+ data_blob_free(&os1);
+ data_blob_free(&os2);
+ data_blob_free(&os3);
+ data_blob_free(&blob);
+ asn1_free(data);
+ TALLOC_FREE(r);
+ return -1;
+ }
- reply->version = IVAL(p, 0);
- reply->lmnt_token = SVAL(p, 4);
- reply->lm20_token = SVAL(p, 6);
+ map_netlogon_samlogon_response(r);
data_blob_free(&os1);
data_blob_free(&os2);
data_blob_free(&os3);
data_blob_free(&blob);
-
- asn1_free(&data);
+
+ asn1_free(data);
+
+ if (reply) {
+ *reply = r;
+ } else {
+ TALLOC_FREE(r);
+ }
return 0;
}
do a cldap netlogon query. Always 389/udp
*******************************************************************/
-BOOL ads_cldap_netlogon(const char *server, const char *realm, struct cldap_netlogon_reply *reply)
+bool ads_cldap_netlogon(TALLOC_CTX *mem_ctx,
+ const char *server,
+ const char *realm,
+ uint32_t nt_version,
+ struct netlogon_samlogon_response **reply)
{
int sock;
int ret;
sock = open_udp_socket(server, LDAP_PORT );
if (sock == -1) {
- DEBUG(2,("ads_cldap_netlogon: Failed to open udp socket to %s\n",
- server));
+ DEBUG(2,("ads_cldap_netlogon: Failed to open udp socket to %s. "
+ "Error %s\n",
+ server,
+ strerror(errno) ));
return False;
}
- ret = send_cldap_netlogon(sock, realm, global_myname(), 6);
+ ret = send_cldap_netlogon(mem_ctx, sock, realm, global_myname(), nt_version);
if (ret != 0) {
+ close(sock);
return False;
}
- ret = recv_cldap_netlogon(sock, reply);
+ ret = recv_cldap_netlogon(mem_ctx, sock, nt_version, reply);
close(sock);
if (ret == -1) {
return True;
}
+
+/*******************************************************************
+ do a cldap netlogon query. Always 389/udp
+*******************************************************************/
+
+bool ads_cldap_netlogon_5(TALLOC_CTX *mem_ctx,
+ const char *server,
+ const char *realm,
+ struct NETLOGON_SAM_LOGON_RESPONSE_EX *reply5)
+{
+ uint32_t nt_version = NETLOGON_NT_VERSION_5 | NETLOGON_NT_VERSION_5EX;
+ struct netlogon_samlogon_response *reply = NULL;
+ bool ret;
+
+ ret = ads_cldap_netlogon(mem_ctx, server, realm, nt_version, &reply);
+ if (!ret) {
+ return false;
+ }
+
+ if (reply->ntver != NETLOGON_NT_VERSION_5EX) {
+ DEBUG(0,("ads_cldap_netlogon_5: nt_version mismatch: 0x%08x\n",
+ reply->ntver));
+ return false;
+ }
+
+ *reply5 = reply->data.nt5_ex;
+
+ return true;
+}