#define OID_KERBEROS5_OLD "1 2 840 48018 1 2 2"
#define OID_KERBEROS5 "1 2 840 113554 1 2 2"
-#define SPNGEO_NEG_RESULT_ACCEPT 0
-#define SPNGEO_NEG_RESULT_INCOMPLETE 1
-#define SPNGEO_NEG_RESULT_REJECT 2
+#define SPNEGO_NEG_RESULT_ACCEPT 0
+#define SPNEGO_NEG_RESULT_INCOMPLETE 1
+#define SPNEGO_NEG_RESULT_REJECT 2
#endif /* _ASN_1_H */
unsigned long strtoul(const char *nptr, char **endptr, int base);
#endif
+#ifndef HAVE_SETENV
+int setenv(const char *name, const char *value, int overwrite);
+#endif
+
#if (defined(USE_SETRESUID) && !defined(HAVE_SETRESUID_DECL))
/* stupid glibc */
int setresuid(uid_t ruid, uid_t euid, uid_t suid);
return t;
}
#endif
+
+#ifndef HAVE_SETENV
+ int setenv(const char *name, const char *value, int overwrite)
+{
+ char *p = NULL;
+ int ret = -1;
+
+ asprintf(&p, "%s=%s", name, value);
+
+ if (overwrite || getenv(name)) {
+ if (p) ret = putenv(p);
+ } else {
+ ret = 0;
+ }
+
+ return ret;
+}
+#endif
static int getgrouplist_internals(const char *user, gid_t gid, gid_t *groups, int *grpcnt)
{
gid_t *gids_saved;
- int ret, ngrp_saved;
+ int ret, ngrp_saved, num_gids;
if (non_root_mode()) {
*grpcnt = 0;
set_effective_gid(gid);
setgid(gid);
- ret = getgroups(*grpcnt, groups);
- if (ret >= 0) {
- *grpcnt = ret;
+ num_gids = getgroups(0, NULL);
+ if (num_gids + 1 > *grpcnt) {
+ *grpcnt = num_gids + 1;
+ ret = -1;
+ } else {
+ ret = getgroups(*grpcnt - 1, &groups[1]);
+ if (ret >= 0) {
+ groups[0] = gid;
+ *grpcnt = ret + 1;
+ }
}
restore_re_gid();
char *exp;
uint32 t;
NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
+ char *escaped_name = escape_ldap_string_alloc(name);
+ char *escaped_realm = escape_ldap_string_alloc(ads->config.realm);
+
+ if (!escaped_name || !escaped_realm) {
+ status = NT_STATUS_NO_MEMORY;
+ goto done;
+ }
if (asprintf(&exp, "(|(sAMAccountName=%s)(userPrincipalName=%s@%s))",
- name, name, ads->config.realm) == -1) {
+ escaped_name, escaped_name, escaped_realm) == -1) {
DEBUG(1,("ads_name_to_sid: asprintf failed!\n"));
status = NT_STATUS_NO_MEMORY;
goto done;
done:
if (res) ads_msgfree(ads, res);
+ SAFE_FREE(escaped_name);
+ SAFE_FREE(escaped_realm);
+
return status;
}
return ADS_ERROR(LDAP_NO_MEMORY);
/* 0 means the conversion worked but the result was empty
- so we only fail if it's negative. In any case, it always
+ so we only fail if it's -1. In any case, it always
at least nulls out the dest */
- if ((push_utf8_talloc(ctx, &utf8_exp, exp) < 0) ||
- (push_utf8_talloc(ctx, &utf8_path, bind_path) < 0)) {
+ if ((push_utf8_talloc(ctx, &utf8_exp, exp) == (size_t)-1) ||
+ (push_utf8_talloc(ctx, &utf8_path, bind_path) == (size_t)-1)) {
rc = LDAP_NO_MEMORY;
goto done;
}
/* 0 means the conversion worked but the result was empty
so we only fail if it's negative. In any case, it always
at least nulls out the dest */
- if ((push_utf8_talloc(ctx, &utf8_exp, exp) < 0) ||
- (push_utf8_talloc(ctx, &utf8_path, bind_path) < 0)) {
+ if ((push_utf8_talloc(ctx, &utf8_exp, exp) == (size_t)-1) ||
+ (push_utf8_talloc(ctx, &utf8_path, bind_path) == (size_t)-1)) {
DEBUG(1,("ads_do_search: push_utf8_talloc() failed!"));
rc = LDAP_NO_MEMORY;
goto done;
static ADS_STATUS ads_add_machine_acct(ADS_STRUCT *ads, const char *hostname,
const char *org_unit)
{
- ADS_STATUS ret;
+ ADS_STATUS ret, status;
char *host_spn, *host_upn, *new_dn, *samAccountName, *controlstr;
char *ou_str;
TALLOC_CTX *ctx;
ads_mod_str(ctx, &mods, "operatingSystem", "Samba");
ads_mod_str(ctx, &mods, "operatingSystemVersion", VERSION);
- ads_gen_add(ads, new_dn, mods);
- ret = ads_set_machine_sd(ads, hostname, new_dn);
+ ret = ads_gen_add(ads, new_dn, mods);
+
+ if (!ADS_ERR_OK(ret))
+ goto done;
+
+ /* Do not fail if we can't set security descriptor
+ * it shouldn't be mandatory and probably we just
+ * don't have enough rights to do it.
+ */
+ status = ads_set_machine_sd(ads, hostname, new_dn);
+ if (!ADS_ERR_OK(status)) {
+ DEBUG(0, ("Warning: ads_set_machine_sd: %s\n",
+ ads_errstr(status)));
+ }
done:
talloc_destroy(ctx);
return ret;
**/
ADS_STATUS ads_set_machine_sd(ADS_STRUCT *ads, const char *hostname, char *dn)
{
- const char *attrs[] = {"ntSecurityDescriptor", "objectSid", 0};
+ const char *attrs[] = {"nTSecurityDescriptor", "objectSid", 0};
char *exp = 0;
size_t sd_size = 0;
struct berval bval = {0, NULL};
NTSTATUS status;
ADS_STATUS ret;
DOM_SID sid;
- SEC_DESC *psd = 0;
- TALLOC_CTX *ctx = 0;
+ SEC_DESC *psd = NULL;
+ TALLOC_CTX *ctx = NULL;
+
+ /* Avoid segmentation fault in prs_mem_free if
+ * we have to bail out before prs_init */
+ ps_wire.is_dynamic = False;
if (!ads) return ADS_ERROR(LDAP_SERVER_DOWN);
goto ads_set_sd_error;
}
- ads_pull_sid(ads, msg, attrs[1], &sid);
+ if (!ads_pull_sid(ads, msg, attrs[1], &sid)) {
+ ret = ADS_ERROR_NT(NT_STATUS_INVALID_PARAMETER);
+ goto ads_set_sd_error;
+ }
+
if (!(ctx = talloc_init("sec_io_desc"))) {
ret = ADS_ERROR(LDAP_NO_MEMORY);
goto ads_set_sd_error;
goto ads_set_sd_error;
}
- prs_init(&ps_wire, sd_size, ctx, MARSHALL);
+ if (!prs_init(&ps_wire, sd_size, ctx, MARSHALL)) {
+ ret = ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
+ }
+
if (!sec_io_desc("sd_wire", &psd, &ps_wire, 1)) {
ret = ADS_ERROR(LDAP_NO_MEMORY);
goto ads_set_sd_error;
return False;
if (value->size && *((smb_ucs2_t *) value->data_p)) {
- pull_ucs2_talloc(ctx, (void **) &str_value,
- (const smb_ucs2_t *) value->data_p);
+ pull_ucs2_talloc(ctx, &str_value, (const smb_ucs2_t *) value->data_p);
status = ads_mod_str(ctx, mods, value->valuename, str_value);
return ADS_ERR_OK(status);
}
cur_str = (smb_ucs2_t *) value->data_p;
for (i=0; i < num_vals; i++)
- cur_str += pull_ucs2_talloc(ctx,
- (void **) &str_values[i],
- cur_str);
+ cur_str += pull_ucs2_talloc(ctx, &str_values[i],
+ cur_str);
status = ads_mod_strlist(ctx, mods, value->valuename,
(const char **) str_values);
uint8 b;
struct nesting *nesting;
- asn1_read_uint8(data, &b);
+ if (!asn1_read_uint8(data, &b))
+ return False;
+
if (b != tag) {
data->has_error = True;
return False;
return False;
}
- asn1_read_uint8(data, &b);
+ if (!asn1_read_uint8(data, &b)) {
+ return False;
+ }
+
if (b & 0x80) {
int n = b & 0x7f;
- asn1_read_uint8(data, &b);
+ if (!asn1_read_uint8(data, &b))
+ return False;
nesting->taglen = b;
while (n > 1) {
- asn1_read_uint8(data, &b);
+ if (!asn1_read_uint8(data, &b))
+ return False;
nesting->taglen = (nesting->taglen << 8) | b;
n--;
}
if (!asn1_start_tag(data, ASN1_ENUMERATED)) return False;
asn1_read_uint8(data, &b);
asn1_end_tag(data);
- return !data->has_error && (v == b);
+
+ if (v != b)
+ data->has_error = False;
+
+ return !data->has_error;
}
/* write an enumarted value to the stream */
/*
parse a spnego NTLMSSP challenge packet giving two security blobs
*/
-BOOL spnego_parse_challenge(DATA_BLOB blob,
+BOOL spnego_parse_challenge(const DATA_BLOB blob,
DATA_BLOB *chal1, DATA_BLOB *chal2)
{
BOOL ret;
/*
- generate a SPNEGO NTLMSSP auth packet. This will contain the encrypted passwords
+ generate a SPNEGO auth packet. This will contain the encrypted passwords
*/
DATA_BLOB spnego_gen_auth(DATA_BLOB blob)
{
}
/*
- parse a SPNEGO NTLMSSP auth packet. This contains the encrypted passwords
+ parse a SPNEGO auth packet. This contains the encrypted passwords
*/
BOOL spnego_parse_auth(DATA_BLOB blob, DATA_BLOB *auth)
{
uint8 negResult;
if (NT_STATUS_IS_OK(nt_status)) {
- negResult = SPNGEO_NEG_RESULT_ACCEPT;
+ negResult = SPNEGO_NEG_RESULT_ACCEPT;
} else if (NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
- negResult = SPNGEO_NEG_RESULT_INCOMPLETE;
+ negResult = SPNEGO_NEG_RESULT_INCOMPLETE;
} else {
- negResult = SPNGEO_NEG_RESULT_REJECT;
+ negResult = SPNEGO_NEG_RESULT_REJECT;
}
ZERO_STRUCT(data);
asn1_push_tag(&data, ASN1_CONTEXT(0));
asn1_write_enumerated(&data, negResult);
asn1_pop_tag(&data);
- if (negResult == SPNGEO_NEG_RESULT_INCOMPLETE) {
+
+ if (negResult == SPNEGO_NEG_RESULT_INCOMPLETE) {
asn1_push_tag(&data,ASN1_CONTEXT(1));
asn1_write_OID(&data, OID_NTLMSSP);
asn1_pop_tag(&data);
/*****************************************************************************
convert a dos eclas/ecode to a NT status32 code
*****************************************************************************/
-NTSTATUS dos_to_ntstatus(int eclass, int ecode)
+NTSTATUS dos_to_ntstatus(uint8 eclass, uint32 ecode)
{
int i;
if (eclass == 0 && ecode == 0) return NT_STATUS_OK;
/* Set environment variable so we don't recursively call ourselves.
This may also be useful interactively. */
- SETENV(WINBINDD_DONT_ENV, "1", 1);
+ setenv(WINBINDD_DONT_ENV, "1", 1);
/* Initialise samba/rpc client stuff */
smbw_setshared("PASSWORD", p);
}
- smbw_setenv("PS1", "smbsh$ ");
+ setenv("PS1", "smbsh$ ");
sys_getwd(wd);
smbw_setshared(line, wd);
slprintf(line,sizeof(line)-1,"%s/smbwrapper.so", libd);
- smbw_setenv("LD_PRELOAD", line);
+ etenv("LD_PRELOAD", line);
slprintf(line,sizeof(line)-1,"%s/smbwrapper.32.so", libd);
if (file_exist(line, NULL)) {
slprintf(line,sizeof(line)-1,"%s/smbwrapper.32.so:DEFAULT", libd);
- smbw_setenv("_RLD_LIST", line);
+ setenv("_RLD_LIST", line);
slprintf(line,sizeof(line)-1,"%s/smbwrapper.so:DEFAULT", libd);
- smbw_setenv("_RLDN32_LIST", line);
+ setenv("_RLDN32_LIST", line);
} else {
slprintf(line,sizeof(line)-1,"%s/smbwrapper.so:DEFAULT", libd);
- smbw_setenv("_RLD_LIST", line);
+ setenv("_RLD_LIST", line);
}
{