From 95936258b3d828c9f2f1ccfb6225923fae6466b7 Mon Sep 17 00:00:00 2001 From: Packit Service Date: Dec 09 2020 07:26:42 +0000 Subject: Prepare for a new update Reverting patches so we can apply the latest update and changes can be seen in the spec file and sources. --- diff --git a/configure.ac b/configure.ac index 68877c7..221d8ae 100644 --- a/configure.ac +++ b/configure.ac @@ -263,46 +263,6 @@ AC_SUBST(LCOV) AC_SUBST(GCOV) AC_SUBST(GENHTML) -AC_PATH_PROG(BIN_CAT, cat, no) -if test "$BIN_CAT" = "no" ; then - AC_MSG_ERROR([cat is not available]) -else - AC_DEFINE_UNQUOTED(BIN_CAT, "$BIN_CAT", [path to cat, used in unit test]) -fi - -AC_PATH_PROG(BIN_TAC, tac, no) -if test "$BIN_TAC" = "no" ; then - AC_MSG_ERROR([tac is not available]) -else - AC_DEFINE_UNQUOTED(BIN_TAC, "$BIN_TAC", [path to tac, used in unit test]) -fi - -AC_PATH_PROG(BIN_REV, rev, no) -if test "$BIN_REV" = "no" ; then - AC_MSG_ERROR([rev is not available]) -else - AC_DEFINE_UNQUOTED(BIN_REV, "$BIN_REV", [path to rev, used in unit test]) -fi - -AC_PATH_PROG(BIN_ECHO, echo, no) -if test "$BIN_ECHO" = "no" ; then - AC_MSG_ERROR([echo is not available]) -else - AC_DEFINE_UNQUOTED(BIN_ECHO, "$BIN_ECHO", [path to echo, used in unit test]) -fi - -AC_MSG_CHECKING([where is Samba's net utility]) -AC_ARG_WITH([samba_data_tool], - AC_HELP_STRING([--with-samba-data-tool=/path], - [Path to Samba's net utility]), - [], - [with_samba_data_tool=/usr/bin/net]) -AC_MSG_RESULT([$with_samba_data_tool]) - -AC_DEFINE_UNQUOTED(SAMBA_DATA_TOOL, "$with_samba_data_tool", - [Path to Samba's net utility]) - -AC_SUBST(SAMBA_DATA_TOOL, [$with_samba_data_tool]) # --------------------------------------------------------------------- ADCLI_LT_RELEASE=$ADCLI_CURRENT:$ADCLI_REVISION:$ADCLI_AGE @@ -312,7 +272,6 @@ AC_CONFIG_FILES([Makefile build/Makefile doc/Makefile doc/version.xml - doc/samba_data_tool_path.xml library/Makefile tools/Makefile ]) diff --git a/doc/adcli.xml b/doc/adcli.xml index acced25..e18ba5d 100644 --- a/doc/adcli.xml +++ b/doc/adcli.xml @@ -1,9 +1,6 @@ -]> + "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> @@ -44,9 +41,6 @@ adcli update - adcli testjoin - - adcli create-user --domain=domain.example.com user @@ -93,11 +87,6 @@ --domain=domain.example.com computer - - adcli show-computer - --domain=domain.example.com - computer - @@ -113,60 +102,32 @@ The domain to connect to. If a domain is - not specified, then the domain part of the local computer's + not specified then the domain part of the local computer's host name is used. Kerberos realm for the domain. If not - specified, then the upper cased domain name is + specified then the upper cased domain name is used. Connect to a specific domain controller. - If not specified, then an appropriate domain controller + If not specified then an appropriate domain controller is automatically discovered. - - Connect to the domain controller - with LDAPS. By default the LDAP port is used and SASL - GSS-SPNEGO or GSSAPI is used for authentication and to - establish encryption. This should satisfy all - requirements set on the server side and LDAPS should - only be used if the LDAP port is not accessible due to - firewalls or other reasons. - Please note that the place where CA certificates - can be found to validate the AD DC certificates - must be configured in the OpenLDAP configuration - file, e.g. /etc/openldap/ldap.conf. - As an alternative it can be specified with the help of - an environment variable, e.g. - -$ LDAPTLS_CACERT=/path/to/ad_dc_ca_cert.pem adcli join --use-ldaps -D domain.example.com -... - - Please see - ldap.conf - 5 for details. - - - - + Use the specified kerberos credential - cache to authenticate with the domain. If no credential - cache is specified, the default kerberos credential - cache will be used. Credential caches of type FILE can - be given with the path to the file. For other - credential cache types, e.g. DIR, KEYRING or KCM, the - type must be specified explicitly together with a - suitable identifier. + cache to authenticate with the domain. If no file is specified or + is used, then the default kerberos credential cache will + be used. Use the specified user account to - authenticate with the domain. If not specified, then + authenticate with the domain. If not specified then the name 'Administrator' will be used. @@ -213,7 +174,7 @@ $ adcli info --domain-controller=dc.domain.example.com adcli info will output as much information as it can about the domain. The information is designed to be both machine and human readable. The command will exit with a non-zero exit code - if the domain does not exist or cannot be reached. + if the domain does note exist or cannot be reached. To show domain info for a specific domain controller use the option to specify which domain @@ -245,39 +206,35 @@ Password for Administrator: The short non-dotted name of the computer - account that will be created in the domain. If not specified, + account that will be created in the domain. If not specified then the first portion of the is used. The full distinguished name of the OU in - which to create the computer account. If not specified, + which to create the computer account. If not specified then the computer account will be created in a default location. Override the local machine's fully qualified - domain name. If not specified, the local machine's hostname - will be retrieved via gethostname(). - If gethostname() only returns a short name - getaddrinfo() with the AI_CANONNAME hint - is called to expand the name to a fully qualified domain - name. + domain name. If not specified the local machine's hostname + will be retrieved via gethostname(). Specify the path to the host keytab where host credentials will be written after a successful join - operation. If not specified, the default location will be + operation. If not specified the default location will be used, usually /etc/krb5.keytab. Specify the type of authentication that will be performed before creating the machine account in - the domain. If set to 'computer', then the computer must + the domain. If set to 'computer' then the computer must already have a preset account in the domain. If not specified and none of the other arguments have been specified, then will try both @@ -300,11 +257,6 @@ Password for Administrator: account. Not set by default. - - Set the description attribute on the computer - account. Not set by default. - - Additional service name for a kerberos principal to be created on the computer account. This @@ -325,21 +277,6 @@ Password for Administrator: password as input. - - Set or unset the TRUSTED_FOR_DELEGATION - flag in the userAccountControl attribute to allow or - not allow that Kerberos tickets can be forwarded to the - host. - - - - Add a service principal name. In - contrast to the the - hostname part can be specified as well in case the - service should be accessible with a different host - name as well. - - After a successful join print out information about join operation. This is output in a format that should @@ -351,36 +288,8 @@ Password for Administrator: machine account password. This is output in a format that should be both human and machine readable. - - - After a successful join add the domain - SID and the machine account password to the Samba - specific databases by calling Samba's - net utility. - - Please note that Samba's net - requires some settings in smb.conf - to create the database entries correctly. Most - important here is currently the - option, see - smb.conf5 - for details. - - - - If Samba's net - cannot be found at - &samba_data_tool;, this option can - be used to specific an alternative location with the - help of an absolute path. - - If supported on the AD side the - attribute will be set as - well. Either the current value or the default list of AD's supported - encryption types filtered by the permitted encryption types of the - client's Kerberos configuration are written. @@ -397,7 +306,7 @@ Password for Administrator: $ adcli update - If used with a credential cache, other attributes of the computer + If used with a credential cache other attributes of the computer account can be changed as well if the principal has sufficient privileges. @@ -413,20 +322,20 @@ $ adcli update --login-ccache=/tmp/krbcc_123 The short non-dotted name of the computer - account that will be created in the domain. If not specified, + account that will be created in the domain. If not specified it will be retrieved from the keytab entries. The local machine's fully qualified - domain name. If not specified, the local machine's hostname + domain name. If not specified the local machine's hostname will be retrieved from the keytab entries. Specify the path to the host keytab where current host credentials are stored and the new ones - will be written to. If not specified, the default + will be written to. If not specified the default location will be used, usually /etc/krb5.keytab. @@ -446,11 +355,6 @@ $ adcli update --login-ccache=/tmp/krbcc_123 account. Not set by default. - - Set the description attribute on the computer - account. Not set by default. - - Additional service name for a Kerberos principal to be created on the computer account. This @@ -469,96 +373,13 @@ $ adcli update --login-ccache=/tmp/krbcc_123 older than 30 days. - - Set or unset the TRUSTED_FOR_DELEGATION - flag in the userAccountControl attribute to allow or - not allow that Kerberos tickets can be forwarded to the - host. - - - - Add a service principal name. In - contrast to the the - hostname part can be specified as well in case the - service should be accessible with a different host - name as well. - - - - Remove a service principal name from - the keytab and the AD host object. - - After a successful join print out information about join operation. This is output in a format that should be both human and machine readable. - - - After a successful join add the domain - SID and the machine account password to the Samba - specific databases by calling Samba's - net utility. - - Please note that Samba's net - requires some settings in smb.conf - to create the database entries correctly. Most - important here is currently the - option, see - smb.conf5 - for details. - Note that if the machine account password is not - older than 30 days, you have to pass - to - force the update. - - - - If Samba's net - cannot be found at - &samba_data_tool;, this option can - be used to specific an alternative location with the - help of an absolute path. - - If supported on the AD side the - attribute will be set as - well. Either the current value or the default list of AD's supported - encryption types filtered by the permitted encryption types of the - client's Kerberos configuration are written. - - - - Testing if the machine account password is valid - - adcli testjoin uses the current credentials in - the keytab and tries to authenticate with the machine account to the AD - domain. If this works the machine account password and the join are - still valid. If it fails the machine account password or the whole - machine account have to be refreshed with - adcli join or adcli update. - - - -$ adcli testjoin - - - Only the global options not related to authentication are - available, additionally you can specify the following options to - control how this operation is done. - - - - - Specify the path to the host keytab where - current host credentials are stored and the new ones - will be written to. If not specified, the default - location will be used, usually - /etc/krb5.keytab. - - @@ -584,7 +405,7 @@ $ adcli create-user Fry --domain=domain.example.com \ The full distinguished name of the OU in - which to create the user account. If not specified, + which to create the user account. If not specified then the computer account will be created in a default location. @@ -618,16 +439,6 @@ $ adcli create-user Fry --domain=domain.example.com \ the new created user account, which should be the user's numeric primary user id. - - - Set the msSFU30NisDomain attribute of - the new created user account, which should be the user's - NIS domain is the NIS/YP service of Active Directory's Services for Unix (SFU) - are used. This is needed to let the 'UNIX attributes' tab of older Active - Directoy versions show the set UNIX specific attributes. If not specified - adcli will try to determine the NIS domain automatically if needed. - - @@ -670,7 +481,7 @@ $ adcli create-group Pilots --domain=domain.example.com \ The full distinguished name of the OU in - which to create the group. If not specified, + which to create the group. If not specified then the group will be created in a default location. @@ -750,14 +561,14 @@ Password for Administrator: The full distinguished name of the OU in - which to create the computer accounts. If not specified, + which to create the computer accounts. If not specified then the computer account will be created in a default location. Specify a one time password to use when - presetting the computer accounts. If not specified, then + presetting the computer accounts. If not specified then a default password will be used, which allows for later automatic joins. @@ -797,7 +608,7 @@ Password for Administrator: Reset Computer Account adcli reset-computer resets a computer account - in the domain. If the appropriate machine is currently joined to the + in the domain. If a the appropriate machine is currently joined to the domain, then its membership will be broken. The account must already exist. @@ -817,7 +628,7 @@ $ adcli reset-computer --domain=domain.example.com host2 Specify the type of authentication that will be performed before creating the machine account in - the domain. If set to 'computer', then the computer must + the domain. If set to 'computer' then the computer must already have a preset account in the domain. If not specified and none of the other arguments have been specified, then will try both @@ -850,29 +661,6 @@ Password for Administrator: - - Show Computer Account Attributes - - adcli show-computer show the computer account - attributes stored in AD. The account must already exist. - - -$ adcli show-computer --domain=domain.example.com host2 -Password for Administrator: - - - If the computer name contains a dot, then it is - treated as fully qualified host name, otherwise it is treated - as short computer name. - - If no computer name is specified, then the host name of the - computer adcli is running on is used, as returned by - gethostname(). - - The various global options can be used. - - - Bugs diff --git a/doc/samba_data_tool_path.xml.in b/doc/samba_data_tool_path.xml.in deleted file mode 100644 index a667c57..0000000 --- a/doc/samba_data_tool_path.xml.in +++ /dev/null @@ -1 +0,0 @@ -@SAMBA_DATA_TOOL@ diff --git a/library/Makefile.am b/library/Makefile.am index 4829555..39e8fd1 100644 --- a/library/Makefile.am +++ b/library/Makefile.am @@ -40,7 +40,6 @@ check_PROGRAMS = \ test-util \ test-ldap \ test-attrs \ - test-adenroll \ $(NULL) test_seq_SOURCES = seq.c test.c test.h @@ -57,10 +56,6 @@ test_attrs_SOURCES = adattrs.c $(test_ldap_SOURCES) test_attrs_CFLAGS = -DATTRS_TESTS test_attrs_LDADD = $(test_ldap_LDADD) -test_adenroll_SOURCES = adenroll.c $(test_ldap_SOURCES) -test_adenroll_CFLAGS = -DADENROLL_TESTS -test_adenroll_LDADD = $(KRB5_LIBS) - TESTS = $(check_PROGRAMS) MEMCHECK_ENV = $(TEST_RUNNER) valgrind --error-exitcode=80 --quiet --trace-children=yes diff --git a/library/adconn.c b/library/adconn.c index 7bab852..a294dfd 100644 --- a/library/adconn.c +++ b/library/adconn.c @@ -70,15 +70,12 @@ struct _adcli_conn_ctx { char *domain_name; char *domain_realm; char *domain_controller; - bool use_ldaps; char *canonical_host; char *domain_short; - char *domain_sid; adcli_disco *domain_disco; char *default_naming_context; char *configuration_naming_context; char **supported_capabilities; - char **supported_sasl_mechs; /* Connect state */ LDAP *ldap; @@ -88,36 +85,11 @@ struct _adcli_conn_ctx { krb5_keytab keytab; }; -static char *try_to_get_fqdn (const char *host_name) -{ - int ret; - char *fqdn = NULL; - struct addrinfo *res; - struct addrinfo hints; - - memset (&hints, 0, sizeof (struct addrinfo)); - hints.ai_socktype = SOCK_DGRAM; - hints.ai_flags = AI_CANONNAME; - - ret = getaddrinfo (host_name, NULL, &hints, &res); - if (ret != 0) { - _adcli_err ("Failed to find FQDN: %s", gai_strerror (ret)); - return NULL; - } - - fqdn = strdup (res->ai_canonname); - - freeaddrinfo (res); - - return fqdn; -} - static adcli_result ensure_host_fqdn (adcli_result res, adcli_conn *conn) { char hostname[HOST_NAME_MAX + 1]; - char *fqdn = NULL; int ret; if (res != ADCLI_SUCCESS) @@ -134,10 +106,7 @@ ensure_host_fqdn (adcli_result res, return ADCLI_ERR_UNEXPECTED; } - if (strchr (hostname, '.') == NULL) { - fqdn = try_to_get_fqdn (hostname); - } - conn->host_fqdn = fqdn != NULL ? fqdn : strdup (hostname); + conn->host_fqdn = strdup (hostname); return_unexpected_if_fail (conn->host_fqdn != NULL); return ADCLI_SUCCESS; } @@ -774,8 +743,7 @@ int ldap_init_fd (ber_socket_t fd, int proto, LDAP_CONST char *url, struct ldap static LDAP * connect_to_address (const char *host, - const char *canonical_host, - bool use_ldaps) + const char *canonical_host) { struct addrinfo *res = NULL; struct addrinfo *ai; @@ -785,16 +753,6 @@ connect_to_address (const char *host, char *url; int sock; int rc; - int opt_rc; - const char *port = "389"; - const char *proto = "ldap"; - const char *errmsg = NULL; - - if (use_ldaps) { - port = "636"; - proto = "ldaps"; - _adcli_info ("Using LDAPS to connect to %s", host); - } memset (&hints, '\0', sizeof(hints)); #ifdef AI_ADDRCONFIG @@ -806,7 +764,7 @@ connect_to_address (const char *host, if (!canonical_host) canonical_host = host; - rc = getaddrinfo (host, port, &hints, &res); + rc = getaddrinfo (host, "389", &hints, &res); if (rc != 0) { _adcli_err ("Couldn't resolve host name: %s: %s", host, gai_strerror (rc)); return NULL; @@ -822,7 +780,7 @@ connect_to_address (const char *host, close (sock); } else { error = 0; - if (asprintf (&url, "%s://%s", proto, canonical_host) < 0) + if (asprintf (&url, "ldap://%s", canonical_host) < 0) return_val_if_reached (NULL); rc = ldap_init_fd (sock, 1, url, &ldap); free (url); @@ -832,25 +790,6 @@ connect_to_address (const char *host, ldap_err2string (rc)); break; } - - if (use_ldaps) { - rc = ldap_install_tls (ldap); - if (rc != LDAP_SUCCESS) { - opt_rc = ldap_get_option (ldap, - LDAP_OPT_DIAGNOSTIC_MESSAGE, - (void *) &errmsg); - if (opt_rc != LDAP_SUCCESS) { - errmsg = NULL; - } - _adcli_err ("Couldn't initialize TLS [%s]: %s", - ldap_err2string (rc), - errmsg == NULL ? "- no details -" - : errmsg); - ldap_unbind_ext_s (ldap, NULL, NULL); - ldap = NULL; - break; - } - } } } @@ -877,7 +816,6 @@ connect_and_lookup_naming (adcli_conn *conn, "defaultNamingContext", "configurationNamingContext", "supportedCapabilities", - "supportedSASLMechanisms", NULL }; @@ -887,8 +825,7 @@ connect_and_lookup_naming (adcli_conn *conn, if (!canonical_host) canonical_host = disco->host_addr; - ldap = connect_to_address (disco->host_addr, canonical_host, - adcli_conn_get_use_ldaps (conn)); + ldap = connect_to_address (disco->host_addr, canonical_host); if (ldap == NULL) return ADCLI_ERR_DIRECTORY; @@ -931,11 +868,6 @@ connect_and_lookup_naming (adcli_conn *conn, "supportedCapabilities"); } - if (conn->supported_sasl_mechs == NULL) { - conn->supported_sasl_mechs = _adcli_ldap_parse_values (ldap, results, - "supportedSASLMechanisms"); - } - ldap_msgfree (results); if (conn->default_naming_context == NULL) { @@ -1061,7 +993,6 @@ authenticate_to_directory (adcli_conn *conn) OM_uint32 minor; ber_len_t ssf; int ret; - const char *mech = "GSSAPI"; if (conn->ldap_authenticated) return ADCLI_SUCCESS; @@ -1073,30 +1004,12 @@ authenticate_to_directory (adcli_conn *conn) status = gss_krb5_ccache_name (&minor, conn->login_ccache_name, NULL); return_unexpected_if_fail (status == 0); - if (adcli_conn_get_use_ldaps (conn)) { - /* do not use SASL encryption on LDAPS connection */ - ssf = 0; - ret = ldap_set_option (conn->ldap, LDAP_OPT_X_SASL_SSF_MIN, &ssf); - return_unexpected_if_fail (ret == 0); - ret = ldap_set_option (conn->ldap, LDAP_OPT_X_SASL_SSF_MAX, &ssf); - return_unexpected_if_fail (ret == 0); - } else { - /* Clumsily tell ldap + cyrus-sasl that we want encryption */ - ssf = 1; - ret = ldap_set_option (conn->ldap, LDAP_OPT_X_SASL_SSF_MIN, &ssf); - return_unexpected_if_fail (ret == 0); - } - - /* There are issues with cryrus-sasl and GSS-SPNEGO with TLS even if - * ssf_max is set to 0. To be on the safe side GSS-SPNEGO is only used - * without LDAPS. */ - if (adcli_conn_server_has_sasl_mech (conn, "GSS-SPNEGO") - && !adcli_conn_get_use_ldaps (conn)) { - mech = "GSS-SPNEGO"; - } - _adcli_info ("Using %s for SASL bind", mech); + /* Clumsily tell ldap + cyrus-sasl that we want encryption */ + ssf = 1; + ret = ldap_set_option (conn->ldap, LDAP_OPT_X_SASL_SSF_MIN, &ssf); + return_unexpected_if_fail (ret == 0); - ret = ldap_sasl_interactive_bind_s (conn->ldap, NULL, mech, NULL, NULL, + ret = ldap_sasl_interactive_bind_s (conn->ldap, NULL, "GSSAPI", NULL, NULL, LDAP_SASL_QUIET, sasl_interact, NULL); /* Clear the credential cache GSSAPI to use (for this thread) */ @@ -1156,32 +1069,6 @@ lookup_short_name (adcli_conn *conn) } static void -lookup_domain_sid (adcli_conn *conn) -{ - char *attrs[] = { "objectSid", NULL, }; - LDAPMessage *results; - int ret; - - free (conn->domain_sid); - conn->domain_sid = NULL; - - ret = ldap_search_ext_s (conn->ldap, conn->default_naming_context, LDAP_SCOPE_BASE, - NULL, attrs, 0, NULL, NULL, NULL, -1, &results); - if (ret == LDAP_SUCCESS) { - conn->domain_sid = _adcli_ldap_parse_sid (conn->ldap, results, "objectSid"); - ldap_msgfree (results); - - if (conn->domain_sid) - _adcli_info ("Looked up domain SID: %s", conn->domain_sid); - else - _adcli_err ("No domain SID found"); - } else { - _adcli_ldap_handle_failure (conn->ldap, ADCLI_ERR_DIRECTORY, - "Couldn't lookup domain SID"); - } -} - -static void conn_clear_state (adcli_conn *conn) { conn->ldap_authenticated = 0; @@ -1261,7 +1148,6 @@ adcli_conn_connect (adcli_conn *conn) return res; lookup_short_name (conn); - lookup_domain_sid (conn); return ADCLI_SUCCESS; } @@ -1276,7 +1162,6 @@ adcli_conn_new (const char *domain_name) conn->refs = 1; conn->logins_allowed = ADCLI_LOGIN_COMPUTER_ACCOUNT | ADCLI_LOGIN_USER_ACCOUNT; adcli_conn_set_domain_name (conn, domain_name); - adcli_conn_set_use_ldaps (conn, false); return conn; } @@ -1290,7 +1175,6 @@ conn_free (adcli_conn *conn) free (conn->default_naming_context); free (conn->configuration_naming_context); _adcli_strv_free (conn->supported_capabilities); - _adcli_strv_free (conn->supported_sasl_mechs); free (conn->computer_name); free (conn->host_fqdn); @@ -1436,20 +1320,6 @@ adcli_conn_set_domain_controller (adcli_conn *conn, no_more_disco (conn); } -bool -adcli_conn_get_use_ldaps (adcli_conn *conn) -{ - return_val_if_fail (conn != NULL, NULL); - return conn->use_ldaps; -} - -void -adcli_conn_set_use_ldaps (adcli_conn *conn, bool value) -{ - return_if_fail (conn != NULL); - conn->use_ldaps = value; -} - const char * adcli_conn_get_domain_short (adcli_conn *conn) { @@ -1457,14 +1327,6 @@ adcli_conn_get_domain_short (adcli_conn *conn) return conn->domain_short; } -const char * -adcli_conn_get_domain_sid (adcli_conn *conn) -{ - return_val_if_fail (conn != NULL, NULL); - return conn->domain_sid; -} - - LDAP * adcli_conn_get_ldap_connection (adcli_conn *conn) { @@ -1480,19 +1342,6 @@ adcli_conn_get_krb5_context (adcli_conn *conn) return conn->k5; } -void -adcli_conn_set_krb5_context (adcli_conn *conn, - krb5_context k5) -{ - return_if_fail (conn != NULL); - - if (conn->k5 != NULL) { - krb5_free_context (conn->k5); - } - - conn->k5 = k5; -} - const char * adcli_conn_get_login_user (adcli_conn *conn) { @@ -1679,34 +1528,3 @@ adcli_conn_server_has_capability (adcli_conn *conn, return 0; } - -bool -adcli_conn_server_has_sasl_mech (adcli_conn *conn, - const char *mech) -{ - int i; - - return_val_if_fail (conn != NULL, false); - return_val_if_fail (mech != NULL, false); - - if (!conn->supported_sasl_mechs) - return false; - - for (i = 0; conn->supported_sasl_mechs[i] != NULL; i++) { - if (strcasecmp (mech, conn->supported_sasl_mechs[i]) == 0) - return true; - } - - return false; -} - -bool adcli_conn_is_writeable (adcli_conn *conn) -{ - disco_dance_if_necessary (conn); - - if (conn->domain_disco == NULL) { - return false; - } - - return ( (conn->domain_disco->flags & ADCLI_DISCO_WRITABLE) != 0); -} diff --git a/library/adconn.h b/library/adconn.h index 1d5faa8..a0cb1f8 100644 --- a/library/adconn.h +++ b/library/adconn.h @@ -89,21 +89,12 @@ const char * adcli_conn_get_domain_controller (adcli_conn *conn); void adcli_conn_set_domain_controller (adcli_conn *conn, const char *value); -bool adcli_conn_get_use_ldaps (adcli_conn *conn); -void adcli_conn_set_use_ldaps (adcli_conn *conn, - bool value); - const char * adcli_conn_get_domain_short (adcli_conn *conn); -const char * adcli_conn_get_domain_sid (adcli_conn *conn); - LDAP * adcli_conn_get_ldap_connection (adcli_conn *conn); krb5_context adcli_conn_get_krb5_context (adcli_conn *conn); -void adcli_conn_set_krb5_context (adcli_conn *conn, - krb5_context k5); - const char * adcli_conn_get_computer_name (adcli_conn *conn); void adcli_conn_set_computer_name (adcli_conn *conn, @@ -153,9 +144,4 @@ void adcli_conn_set_krb5_conf_dir (adcli_conn *conn, int adcli_conn_server_has_capability (adcli_conn *conn, const char *capability); -bool adcli_conn_server_has_sasl_mech (adcli_conn *conn, - const char *mech); - -bool adcli_conn_is_writeable (adcli_conn *conn); - #endif /* ADCONN_H_ */ diff --git a/library/adenroll.c b/library/adenroll.c index 246f658..a15e4be 100644 --- a/library/adenroll.c +++ b/library/adenroll.c @@ -41,18 +41,6 @@ #include #include #include -#include -#include - -#ifndef SAMBA_DATA_TOOL -#define SAMBA_DATA_TOOL "/usr/bin/net" -#endif - -static krb5_enctype v60_later_enctypes_fips[] = { - ENCTYPE_AES256_CTS_HMAC_SHA1_96, - ENCTYPE_AES128_CTS_HMAC_SHA1_96, - 0 -}; static krb5_enctype v60_later_enctypes[] = { ENCTYPE_AES256_CTS_HMAC_SHA1_96, @@ -71,29 +59,6 @@ static krb5_enctype v51_earlier_enctypes[] = { 0 }; -static char *default_ad_ldap_attrs[] = { - "sAMAccountName", - "userPrincipalName", - "msDS-KeyVersionNumber", - "msDS-supportedEncryptionTypes", - "dNSHostName", - "servicePrincipalName", - "operatingSystem", - "operatingSystemVersion", - "operatingSystemServicePack", - "pwdLastSet", - "userAccountControl", - "description", - NULL, -}; - -/* Some constants for the userAccountControl AD LDAP attribute, see e.g. - * https://support.microsoft.com/en-us/help/305144/how-to-use-the-useraccountcontrol-flags-to-manipulate-user-account-pro - * for details. */ -#define UAC_WORKSTATION_TRUST_ACCOUNT 0x1000 -#define UAC_DONT_EXPIRE_PASSWORD 0x10000 -#define UAC_TRUSTED_FOR_DELEGATION 0x80000 - struct _adcli_enroll { int refs; adcli_conn *conn; @@ -119,18 +84,12 @@ struct _adcli_enroll { char **service_principals; int service_principals_explicit; - char **service_principals_to_add; - char **service_principals_to_remove; - char *user_principal; int user_princpal_generate; char *os_name; - int os_name_explicit; char *os_version; - int os_version_explicit; char *os_service_pack; - int os_service_pack_explicit; krb5_kvno kvno; char *keytab_name; @@ -141,10 +100,6 @@ struct _adcli_enroll { int keytab_enctypes_explicit; unsigned int computer_password_lifetime; int computer_password_lifetime_explicit; - char *samba_data_tool; - bool trusted_for_delegation; - int trusted_for_delegation_explicit; - char *description; }; static adcli_result @@ -313,23 +268,16 @@ ensure_computer_password (adcli_result res, } static adcli_result -ensure_default_service_names (adcli_enroll *enroll) +ensure_service_names (adcli_result res, + adcli_enroll *enroll) { int length = 0; - if (enroll->service_names != NULL) { - length = seq_count (enroll->service_names); + if (res != ADCLI_SUCCESS) + return res; - /* Make sure there is no entry with an unexpected case. AD - * would not care but since the client side is case-sensitive - * we should make sure we use the expected spelling. */ - seq_remove_unsorted (enroll->service_names, - &length, "host", - (seq_compar)strcasecmp, free); - seq_remove_unsorted (enroll->service_names, - &length, "RestrictedKrbHost", - (seq_compar)strcasecmp, free); - } + if (enroll->service_names || enroll->service_principals) + return ADCLI_SUCCESS; /* The default ones specified by MS */ enroll->service_names = _adcli_strv_add (enroll->service_names, @@ -340,87 +288,13 @@ ensure_default_service_names (adcli_enroll *enroll) } static adcli_result -ensure_service_names (adcli_result res, - adcli_enroll *enroll) -{ - if (res != ADCLI_SUCCESS) - return res; - - if (enroll->service_names || enroll->service_principals) - return ADCLI_SUCCESS; - - return ensure_default_service_names (enroll); -} - -static adcli_result -add_service_names_to_service_principals (adcli_enroll *enroll) +ensure_service_principals (adcli_result res, + adcli_enroll *enroll) { char *name; int length = 0; int i; - if (enroll->service_principals != NULL) { - length = seq_count (enroll->service_principals); - } - - for (i = 0; enroll->service_names[i] != NULL; i++) { - if (asprintf (&name, "%s/%s", enroll->service_names[i], enroll->computer_name) < 0) - return_unexpected_if_reached (); - enroll->service_principals = _adcli_strv_add_unique (enroll->service_principals, - name, &length, false); - - if (enroll->host_fqdn) { - if (asprintf (&name, "%s/%s", enroll->service_names[i], enroll->host_fqdn) < 0) - return_unexpected_if_reached (); - enroll->service_principals = _adcli_strv_add_unique (enroll->service_principals, - name, &length, false); - } - } - - return ADCLI_SUCCESS; -} - -static adcli_result -add_and_remove_service_principals (adcli_enroll *enroll) -{ - int length = 0; - size_t c; - const char **list; - - if (enroll->service_principals != NULL) { - length = seq_count (enroll->service_principals); - } - - list = adcli_enroll_get_service_principals_to_add (enroll); - if (list != NULL) { - for (c = 0; list[c] != NULL; c++) { - enroll->service_principals = _adcli_strv_add_unique (enroll->service_principals, - strdup (list[c]), - &length, false); - if (enroll->service_principals == NULL) { - return ADCLI_ERR_UNEXPECTED; - } - } - } - - list = adcli_enroll_get_service_principals_to_remove (enroll); - if (list != NULL) { - for (c = 0; list[c] != NULL; c++) { - /* enroll->service_principals typically refects the - * order of the principal in the keytabm so it is not - * ordered. */ - _adcli_strv_remove_unsorted (enroll->service_principals, - list[c], &length); - } - } - - return ADCLI_SUCCESS; -} - -static adcli_result -ensure_service_principals (adcli_result res, - adcli_enroll *enroll) -{ if (res != ADCLI_SUCCESS) return res; @@ -428,33 +302,23 @@ ensure_service_principals (adcli_result res, if (!enroll->service_principals) { assert (enroll->service_names != NULL); - res = add_service_names_to_service_principals (enroll); - } - if (res == ADCLI_SUCCESS) { - res = add_and_remove_service_principals (enroll); - } - - return res; -} - -static void enroll_clear_keytab_principals (adcli_enroll *enroll) -{ - krb5_context k5; - size_t c; - - if (enroll->keytab_principals) { - k5 = adcli_conn_get_krb5_context (enroll->conn); - return_if_fail (k5 != NULL); - - for (c = 0; enroll->keytab_principals[c] != NULL; c++) - krb5_free_principal (k5, enroll->keytab_principals[c]); - - free (enroll->keytab_principals); - enroll->keytab_principals = NULL; + for (i = 0; enroll->service_names[i] != NULL; i++) { + if (asprintf (&name, "%s/%s", enroll->service_names[i], enroll->computer_name) < 0) + return_unexpected_if_reached (); + enroll->service_principals = _adcli_strv_add (enroll->service_principals, + name, &length); + + if (enroll->host_fqdn) { + if (asprintf (&name, "%s/%s", enroll->service_names[i], enroll->host_fqdn) < 0) + return_unexpected_if_reached (); + enroll->service_principals = _adcli_strv_add (enroll->service_principals, + name, &length); + } + } } - return; + return ADCLI_SUCCESS; } static adcli_result @@ -474,9 +338,7 @@ ensure_keytab_principals (adcli_result res, k5 = adcli_conn_get_krb5_context (enroll->conn); return_unexpected_if_fail (k5 != NULL); - enroll_clear_keytab_principals (enroll); enroll->keytab_principals = calloc (count + 3, sizeof (krb5_principal)); - return_unexpected_if_fail (enroll->keytab_principals != NULL); at = 0; /* First add the principal for the computer account name */ @@ -652,90 +514,6 @@ calculate_computer_account (adcli_enroll *enroll, } static adcli_result -calculate_enctypes (adcli_enroll *enroll, char **enctype) -{ - char *value = NULL; - krb5_enctype *read_enctypes; - krb5_enctype *new_enctypes; - char *new_value = NULL; - int is_2008_or_later; - LDAP *ldap; - - *enctype = NULL; - /* - * Because we're using a keytab we want the server to be aware of the - * encryption types supported on the client, because we can't dynamically - * use a new one that's thrown at us. - * - * If the encryption types are not explicitly set by the caller of this - * library, then see if the account already has some encryption types - * marked on it. - * - * If not, write our default set to the account. - * - * Note that Windows 2003 and earlier have a standard set of encryption - * types, and no msDS-supportedEncryptionTypes attribute. - */ - - ldap = adcli_conn_get_ldap_connection (enroll->conn); - return_unexpected_if_fail (ldap != NULL); - - is_2008_or_later = adcli_conn_server_has_capability (enroll->conn, ADCLI_CAP_V60_OID); - - /* In 2008 or later, use the msDS-supportedEncryptionTypes attribute */ - if (is_2008_or_later && enroll->computer_attributes != NULL) { - value = _adcli_ldap_parse_value (ldap, enroll->computer_attributes, - "msDS-supportedEncryptionTypes"); - - if (!enroll->keytab_enctypes_explicit && value != NULL) { - read_enctypes = _adcli_krb5_parse_enctypes (value); - if (read_enctypes == NULL) { - _adcli_warn ("Invalid or unsupported encryption types are set on " - "the computer account (%s).", value); - } else { - free (enroll->keytab_enctypes); - enroll->keytab_enctypes = read_enctypes; - } - } - - /* In 2003 or earlier, standard set of enc types */ - } else { - value = _adcli_krb5_format_enctypes (v51_earlier_enctypes); - } - - new_enctypes = adcli_enroll_get_permitted_keytab_enctypes (enroll); - if (new_enctypes == NULL) { - _adcli_warn ("No permitted encryption type found."); - return ADCLI_ERR_UNEXPECTED; - } - - new_value = _adcli_krb5_format_enctypes (new_enctypes); - krb5_free_enctypes (adcli_conn_get_krb5_context (enroll->conn), new_enctypes); - if (new_value == NULL) { - free (value); - _adcli_warn ("The encryption types desired are not available in active directory"); - return ADCLI_ERR_CONFIG; - } - - /* If we already have this value, then don't need to update */ - if (value && strcmp (new_value, value) == 0) { - free (value); - free (new_value); - return ADCLI_SUCCESS; - } - free (value); - - if (!is_2008_or_later) { - free (new_value); - _adcli_warn ("Server does not support setting encryption types"); - return ADCLI_SUCCESS; - } - - *enctype = new_value; - return ADCLI_SUCCESS; -} - -static adcli_result create_computer_account (adcli_enroll *enroll, LDAP *ldap) { @@ -744,68 +522,18 @@ create_computer_account (adcli_enroll *enroll, char *vals_sAMAccountName[] = { enroll->computer_sam, NULL }; LDAPMod sAMAccountName = { LDAP_MOD_ADD, "sAMAccountName", { vals_sAMAccountName, } }; char *vals_userAccountControl[] = { "69632", NULL }; /* WORKSTATION_TRUST_ACCOUNT | DONT_EXPIRE_PASSWD */ - LDAPMod userAccountControl = { LDAP_MOD_ADD, "userAccountControl", { vals_userAccountControl, } }; - char *vals_supportedEncryptionTypes[] = { NULL, NULL }; - LDAPMod encTypes = { LDAP_MOD_ADD, "msDS-supportedEncryptionTypes", { vals_supportedEncryptionTypes, } }; - char *vals_dNSHostName[] = { enroll->host_fqdn, NULL }; - LDAPMod dNSHostName = { LDAP_MOD_ADD, "dNSHostName", { vals_dNSHostName, } }; - char *vals_operatingSystem[] = { enroll->os_name, NULL }; - LDAPMod operatingSystem = { LDAP_MOD_ADD, "operatingSystem", { vals_operatingSystem, } }; - char *vals_operatingSystemVersion[] = { enroll->os_version, NULL }; - LDAPMod operatingSystemVersion = { LDAP_MOD_ADD, "operatingSystemVersion", { vals_operatingSystemVersion, } }; - char *vals_operatingSystemServicePack[] = { enroll->os_service_pack, NULL }; - LDAPMod operatingSystemServicePack = { LDAP_MOD_ADD, "operatingSystemServicePack", { vals_operatingSystemServicePack, } }; - char *vals_userPrincipalName[] = { enroll->user_principal, NULL }; - LDAPMod userPrincipalName = { LDAP_MOD_ADD, "userPrincipalName", { vals_userPrincipalName, }, }; - LDAPMod servicePrincipalName = { LDAP_MOD_ADD, "servicePrincipalName", { enroll->service_principals, } }; - char *vals_description[] = { enroll->description, NULL }; - LDAPMod description = { LDAP_MOD_ADD, "description", { vals_description, }, }; - - char *val = NULL; + LDAPMod userAccountControl = { LDAP_MOD_REPLACE, "userAccountControl", { vals_userAccountControl, } }; int ret; - size_t c; - size_t m; - LDAPMod *all_mods[] = { + LDAPMod *mods[] = { &objectClass, &sAMAccountName, &userAccountControl, - &encTypes, - &dNSHostName, - &operatingSystem, - &operatingSystemVersion, - &operatingSystemServicePack, - &userPrincipalName, - &servicePrincipalName, - &description, - NULL + NULL, }; - size_t mods_count = sizeof (all_mods) / sizeof (LDAPMod *); - LDAPMod *mods[mods_count]; - - if (adcli_enroll_get_trusted_for_delegation (enroll)) { - vals_userAccountControl[0] = "593920"; /* WORKSTATION_TRUST_ACCOUNT | DONT_EXPIRE_PASSWD | TRUSTED_FOR_DELEGATION */ - } - - ret = calculate_enctypes (enroll, &val); - if (ret != ADCLI_SUCCESS) { - return ret; - } - vals_supportedEncryptionTypes[0] = val; - - m = 0; - for (c = 0; c < mods_count - 1; c++) { - /* Skip empty LDAP sttributes */ - if (all_mods[c]->mod_vals.modv_strvals[0] != NULL) { - mods[m++] = all_mods[c]; - } - } - mods[m] = NULL; - ret = ldap_add_ext_s (ldap, enroll->computer_dn, mods, NULL, NULL); - free (val); /* * Hand to head. This is really dumb... AD returns @@ -1133,10 +861,6 @@ set_password_with_user_creds (adcli_enroll *enroll) #endif } else { _adcli_info ("Set computer password"); - if (enroll->kvno > 0) { - enroll->kvno++; - _adcli_info ("kvno incremented to %d", enroll->kvno); - } res = ADCLI_SUCCESS; } @@ -1233,6 +957,18 @@ retrieve_computer_account (adcli_enroll *enroll) char *end; int ret; + char *attrs[] = { + "msDS-KeyVersionNumber", + "msDS-supportedEncryptionTypes", + "dNSHostName", + "servicePrincipalName", + "operatingSystem", + "operatingSystemVersion", + "operatingSystemServicePack", + "pwdLastSet", + NULL, + }; + assert (enroll->computer_dn != NULL); assert (enroll->computer_attributes == NULL); @@ -1240,8 +976,7 @@ retrieve_computer_account (adcli_enroll *enroll) assert (ldap != NULL); ret = ldap_search_ext_s (ldap, enroll->computer_dn, LDAP_SCOPE_BASE, - "(objectClass=*)", default_ad_ldap_attrs, - 0, NULL, NULL, NULL, -1, + "(objectClass=*)", attrs, 0, NULL, NULL, NULL, -1, &enroll->computer_attributes); if (ret != LDAP_SUCCESS) { @@ -1284,23 +1019,75 @@ retrieve_computer_account (adcli_enroll *enroll) static adcli_result update_and_calculate_enctypes (adcli_enroll *enroll) { + char *value = NULL; + krb5_enctype *read_enctypes; char *vals_supportedEncryptionTypes[] = { NULL, NULL }; LDAPMod mod = { LDAP_MOD_REPLACE, "msDS-supportedEncryptionTypes", { vals_supportedEncryptionTypes, } }; LDAPMod *mods[2] = { &mod, NULL }; + int is_2008_or_later; char *new_value; LDAP *ldap; int ret; + /* + * Because we're using a keytab we want the server to be aware of the + * encryption types supported on the client, because we can't dynamically + * use a new one that's thrown at us. + * + * If the encryption types are not explicitly set by the caller of this + * library, then see if the account already has some encryption types + * marked on it. + * + * If not, write our default set to the account. + * + * Note that Windows 2003 and earlier have a standard set of encryption + * types, and no msDS-supportedEncryptionTypes attribute. + */ + ldap = adcli_conn_get_ldap_connection (enroll->conn); return_unexpected_if_fail (ldap != NULL); - ret = calculate_enctypes (enroll, &new_value); - if (ret != ADCLI_SUCCESS) { - free (new_value); - return ret; + is_2008_or_later = adcli_conn_server_has_capability (enroll->conn, ADCLI_CAP_V60_OID); + + /* In 2008 or later, use the msDS-supportedEncryptionTypes attribute */ + if (is_2008_or_later) { + value = _adcli_ldap_parse_value (ldap, enroll->computer_attributes, + "msDS-supportedEncryptionTypes"); + + if (!enroll->keytab_enctypes_explicit && value != NULL) { + read_enctypes = _adcli_krb5_parse_enctypes (value); + if (read_enctypes == NULL) { + _adcli_warn ("Invalid or unsupported encryption types are set on " + "the computer account (%s).", value); + } else { + free (enroll->keytab_enctypes); + enroll->keytab_enctypes = read_enctypes; + } + } + + /* In 2003 or earlier, standard set of enc types */ + } else { + value = _adcli_krb5_format_enctypes (v51_earlier_enctypes); } + new_value = _adcli_krb5_format_enctypes (adcli_enroll_get_keytab_enctypes (enroll)); if (new_value == NULL) { + free (value); + _adcli_warn ("The encryption types desired are not available in active directory"); + return ADCLI_ERR_CONFIG; + } + + /* If we already have this value, then don't need to update */ + if (value && strcmp (new_value, value) == 0) { + free (value); + free (new_value); + return ADCLI_SUCCESS; + } + free (value); + + if (!is_2008_or_later) { + free (new_value); + _adcli_warn ("Server does not support setting encryption types"); return ADCLI_SUCCESS; } @@ -1357,47 +1144,6 @@ update_computer_attribute (adcli_enroll *enroll, return res; } -static char *get_user_account_control (adcli_enroll *enroll) -{ - uint32_t uac = 0; - unsigned long attr_val; - char *uac_str; - LDAP *ldap; - char *end; - - ldap = adcli_conn_get_ldap_connection (enroll->conn); - return_val_if_fail (ldap != NULL, NULL); - - uac_str = _adcli_ldap_parse_value (ldap, enroll->computer_attributes, "userAccountControl"); - if (uac_str != NULL) { - - attr_val = strtoul (uac_str, &end, 10); - if (*end != '\0' || attr_val > UINT32_MAX) { - _adcli_warn ("Invalid userAccountControl '%s' for computer account in directory: %s, assuming 0", - uac_str, enroll->computer_dn); - } else { - uac = attr_val; - } - free (uac_str); - } - - if (uac == 0) { - uac = UAC_WORKSTATION_TRUST_ACCOUNT | UAC_DONT_EXPIRE_PASSWORD; - } - - if (adcli_enroll_get_trusted_for_delegation (enroll)) { - uac |= UAC_TRUSTED_FOR_DELEGATION; - } else { - uac &= ~(UAC_TRUSTED_FOR_DELEGATION); - } - - if (asprintf (&uac_str, "%d", uac) < 0) { - return_val_if_reached (NULL); - } - - return uac_str; -} - static void update_computer_account (adcli_enroll *enroll) { @@ -1407,11 +1153,7 @@ update_computer_account (adcli_enroll *enroll) ldap = adcli_conn_get_ldap_connection (enroll->conn); return_if_fail (ldap != NULL); - /* Only update attributes which are explicitly given on the command - * line. Otherwise 'adcli update' must be always called with the same - * set of options to make sure existing attributes are not deleted or - * overwritten with different values. */ - if (enroll->host_fqdn_explicit) { + { char *vals_dNSHostName[] = { enroll->host_fqdn, NULL }; LDAPMod dNSHostName = { LDAP_MOD_REPLACE, "dNSHostName", { vals_dNSHostName, } }; LDAPMod *mods[] = { &dNSHostName, NULL }; @@ -1419,17 +1161,12 @@ update_computer_account (adcli_enroll *enroll) res |= update_computer_attribute (enroll, ldap, mods); } - if (res == ADCLI_SUCCESS && enroll->trusted_for_delegation_explicit) { - char *vals_userAccountControl[] = { NULL , NULL }; + if (res == ADCLI_SUCCESS) { + char *vals_userAccountControl[] = { "69632", NULL }; /* WORKSTATION_TRUST_ACCOUNT | DONT_EXPIRE_PASSWD */ LDAPMod userAccountControl = { LDAP_MOD_REPLACE, "userAccountControl", { vals_userAccountControl, } }; LDAPMod *mods[] = { &userAccountControl, NULL }; - vals_userAccountControl[0] = get_user_account_control (enroll); - if (vals_userAccountControl[0] != NULL) { - res |= update_computer_attribute (enroll, ldap, mods); - } else { - _adcli_warn ("Cannot update userAccountControl"); - } + res |= update_computer_attribute (enroll, ldap, mods); } if (res == ADCLI_SUCCESS) { @@ -1439,25 +1176,12 @@ update_computer_account (adcli_enroll *enroll) LDAPMod operatingSystemVersion = { LDAP_MOD_REPLACE, "operatingSystemVersion", { vals_operatingSystemVersion, } }; char *vals_operatingSystemServicePack[] = { enroll->os_service_pack, NULL }; LDAPMod operatingSystemServicePack = { LDAP_MOD_REPLACE, "operatingSystemServicePack", { vals_operatingSystemServicePack, } }; - LDAPMod *mods[] = { NULL, NULL, NULL, NULL }; - size_t c = 0; + LDAPMod *mods[] = { &operatingSystem, &operatingSystemVersion, &operatingSystemServicePack, NULL }; - if (enroll->os_name_explicit) { - mods[c++] = &operatingSystem; - } - if (enroll->os_version_explicit) { - mods[c++] = &operatingSystemVersion; - } - if (enroll->os_service_pack_explicit) { - mods[c++] = &operatingSystemServicePack; - } + res |= update_computer_attribute (enroll, ldap, mods); + } - if (c != 0) { - res |= update_computer_attribute (enroll, ldap, mods); - } - } - - if (res == ADCLI_SUCCESS && enroll->user_principal != NULL && !enroll->user_princpal_generate) { + if (res == ADCLI_SUCCESS) { char *vals_userPrincipalName[] = { enroll->user_principal, NULL }; LDAPMod userPrincipalName = { LDAP_MOD_REPLACE, "userPrincipalName", { vals_userPrincipalName, }, }; LDAPMod *mods[] = { &userPrincipalName, NULL, }; @@ -1465,14 +1189,6 @@ update_computer_account (adcli_enroll *enroll) res |= update_computer_attribute (enroll, ldap, mods); } - if (res == ADCLI_SUCCESS && enroll->description != NULL) { - char *vals_description[] = { enroll->description, NULL }; - LDAPMod description = { LDAP_MOD_REPLACE, "description", { vals_description, }, }; - LDAPMod *mods[] = { &description, NULL, }; - - res |= update_computer_attribute (enroll, ldap, mods); - } - if (res != 0) _adcli_info ("Updated existing computer account: %s", enroll->computer_dn); } @@ -1586,14 +1302,14 @@ load_keytab_entry (krb5_context k5, value = strdup (name); return_val_if_fail (value != NULL, FALSE); _adcli_info ("Found service principal in keytab: %s", value); - enroll->service_principals = _adcli_strv_add_unique (enroll->service_principals, value, NULL, false); + enroll->service_principals = _adcli_strv_add (enroll->service_principals, value, NULL); } } if (!enroll->host_fqdn_explicit && !enroll->computer_name_explicit) { /* Automatically use the netbios name */ - if (!enroll->computer_name && len > 1 && + if (!enroll->computer_name && len > 1 && _adcli_str_is_up (name) && _adcli_str_has_suffix (name, "$") && !strchr (name, '/')) { enroll->computer_name = name; name[len - 1] = '\0'; @@ -1602,9 +1318,9 @@ load_keytab_entry (krb5_context k5, } else if (!enroll->host_fqdn && _adcli_str_has_prefix (name, "host/") && strchr (name, '.')) { /* Skip host/ prefix */ - enroll->host_fqdn = strdup (name + 5); - return_val_if_fail (enroll->host_fqdn != NULL, FALSE); - _adcli_info ("Found host qualified name in keytab: %s", enroll->host_fqdn); + enroll->host_fqdn = name + 5; + _adcli_info ("Found host qualified name in keytab: %s", name); + name = NULL; } } @@ -1636,7 +1352,7 @@ load_host_keytab (adcli_enroll *enroll) } krb5_free_context (k5); - return res; + return ADCLI_SUCCESS; } typedef struct { @@ -1714,47 +1430,11 @@ free_principal_salts (krb5_context k5, } static adcli_result -remove_principal_from_keytab (adcli_enroll *enroll, - krb5_context k5, - const char *principal_name) -{ - krb5_error_code code; - krb5_principal principal; - match_principal_kvno closure; - - code = _adcli_krb5_build_principal (k5, principal_name, - adcli_conn_get_domain_realm (enroll->conn), - &principal); - if (code != 0) { - _adcli_err ("Couldn't parse principal: %s: %s", - principal_name, krb5_get_error_message (k5, code)); - return ADCLI_ERR_FAIL; - } - - closure.kvno = enroll->kvno; - closure.principal = principal; - closure.matched = 0; - - code = _adcli_krb5_keytab_clear (k5, enroll->keytab, - match_principal_and_kvno, &closure); - krb5_free_principal (k5, principal); - - if (code != 0) { - _adcli_err ("Couldn't update keytab: %s: %s", - enroll->keytab_name, krb5_get_error_message (k5, code)); - return ADCLI_ERR_FAIL; - } - - return ADCLI_SUCCESS; -} - -static adcli_result add_principal_to_keytab (adcli_enroll *enroll, krb5_context k5, krb5_principal principal, const char *principal_name, - int *which_salt, - adcli_enroll_flags flags) + int *which_salt) { match_principal_kvno closure; krb5_data password; @@ -1782,50 +1462,36 @@ add_principal_to_keytab (adcli_enroll *enroll, enroll->keytab_name); } - enctypes = adcli_enroll_get_permitted_keytab_enctypes (enroll); - if (enctypes == NULL) { - _adcli_warn ("No permitted encryption type found."); - return ADCLI_ERR_UNEXPECTED; - } + password.data = enroll->computer_password; + password.length = strlen (enroll->computer_password); - if (flags & ADCLI_ENROLL_PASSWORD_VALID) { - code = _adcli_krb5_keytab_copy_entries (k5, enroll->keytab, principal, - enroll->kvno, enctypes); - } else { + enctypes = adcli_enroll_get_keytab_enctypes (enroll); - password.data = enroll->computer_password; - password.length = strlen (enroll->computer_password); - - /* - * So we need to discover which salt to use. As a side effect we are - * also testing that our account works. - */ + /* + * So we need to discover which salt to use. As a side effect we are + * also testing that our account works. + */ - salts = build_principal_salts (enroll, k5, principal); - if (salts == NULL) { - krb5_free_enctypes (k5, enctypes); - return ADCLI_ERR_UNEXPECTED; - } + salts = build_principal_salts (enroll, k5, principal); + return_unexpected_if_fail (salts != NULL); - if (*which_salt < 0) { - code = _adcli_krb5_keytab_discover_salt (k5, principal, enroll->kvno, &password, - enctypes, salts, which_salt); - if (code != 0) { - _adcli_warn ("Couldn't authenticate with keytab while discovering which salt to use: %s: %s", - principal_name, krb5_get_error_message (k5, code)); - *which_salt = DEFAULT_SALT; - } else { - assert (*which_salt >= 0); - _adcli_info ("Discovered which keytab salt to use"); - } + if (*which_salt < 0) { + code = _adcli_krb5_keytab_discover_salt (k5, principal, enroll->kvno, &password, + enctypes, salts, which_salt); + if (code != 0) { + _adcli_warn ("Couldn't authenticate with keytab while discovering which salt to use: %s: %s", + principal_name, krb5_get_error_message (k5, code)); + *which_salt = DEFAULT_SALT; + } else { + assert (*which_salt >= 0); + _adcli_info ("Discovered which keytab salt to use"); } + } - code = _adcli_krb5_keytab_add_entries (k5, enroll->keytab, principal, - enroll->kvno, &password, enctypes, &salts[*which_salt]); + code = _adcli_krb5_keytab_add_entries (k5, enroll->keytab, principal, + enroll->kvno, &password, enctypes, &salts[*which_salt]); - free_principal_salts (k5, salts); - } - krb5_free_enctypes (k5, enctypes); + free_principal_salts (k5, salts); if (code != 0) { _adcli_err ("Couldn't add keytab entries: %s: %s", @@ -1840,8 +1506,7 @@ add_principal_to_keytab (adcli_enroll *enroll, } static adcli_result -update_keytab_for_principals (adcli_enroll *enroll, - adcli_enroll_flags flags) +update_keytab_for_principals (adcli_enroll *enroll) { krb5_context k5; adcli_result res; @@ -1858,70 +1523,32 @@ update_keytab_for_principals (adcli_enroll *enroll, if (krb5_unparse_name (k5, enroll->keytab_principals[i], &name) != 0) name = ""; res = add_principal_to_keytab (enroll, k5, enroll->keytab_principals[i], - name, &which_salt, flags); + name, &which_salt); krb5_free_unparsed_name (k5, name); if (res != ADCLI_SUCCESS) return res; } - if (enroll->service_principals_to_remove != NULL) { - for (i = 0; enroll->service_principals_to_remove[i] != NULL; i++) { - res = remove_principal_from_keytab (enroll, k5, - enroll->service_principals_to_remove[i]); - if (res != ADCLI_SUCCESS) { - _adcli_warn ("Failed to remove %s from keytab.", - enroll->service_principals_to_remove[i]); - } - } - } - return ADCLI_SUCCESS; } -static adcli_result -update_samba_data (adcli_enroll *enroll) -{ - int ret; - char *argv_pw[] = { NULL, "changesecretpw", "-i", "-f", NULL }; - char *argv_sid[] = { NULL, "setdomainsid", NULL, NULL }; - - argv_pw[0] = (char *) adcli_enroll_get_samba_data_tool (enroll); - if (argv_pw[0] ==NULL) { - _adcli_err ("Samba data tool not available."); - return ADCLI_ERR_FAIL; - } - argv_sid[0] = argv_pw[0]; - - _adcli_info ("Trying to set Samba secret."); - ret = _adcli_call_external_program (argv_pw[0], argv_pw, - enroll->computer_password, NULL, NULL); - if (ret != ADCLI_SUCCESS) { - _adcli_err ("Failed to set Samba computer account password."); - } - - argv_sid[2] = (char *) adcli_conn_get_domain_sid (enroll->conn); - if (argv_sid[2] == NULL) { - _adcli_err ("Domain SID not available."); - } else { - _adcli_info ("Trying to set domain SID %s for Samba.", - argv_sid[2]); - ret = _adcli_call_external_program (argv_sid[0], argv_sid, - NULL, NULL, NULL); - if (ret != ADCLI_SUCCESS) { - _adcli_err ("Failed to set Samba domain SID."); - } - } - - return ret; -} - static void enroll_clear_state (adcli_enroll *enroll) { krb5_context k5; + int i; + + if (enroll->keytab_principals) { + k5 = adcli_conn_get_krb5_context (enroll->conn); + return_if_fail (k5 != NULL); - enroll_clear_keytab_principals (enroll); + for (i = 0; enroll->keytab_principals[i] != NULL; i++) + krb5_free_principal (k5, enroll->keytab_principals[i]); + + free (enroll->keytab_principals); + enroll->keytab_principals = NULL; + } if (enroll->keytab) { k5 = adcli_conn_get_krb5_context (enroll->conn); @@ -2002,76 +1629,12 @@ adcli_enroll_prepare (adcli_enroll *enroll, } static adcli_result -add_server_side_service_principals (adcli_enroll *enroll) -{ - char **spn_list; - LDAP *ldap; - size_t c; - int length = 0; - adcli_result res; - - ldap = adcli_conn_get_ldap_connection (enroll->conn); - assert (ldap != NULL); - - spn_list = _adcli_ldap_parse_values (ldap, enroll->computer_attributes, - "servicePrincipalName"); - if (spn_list == NULL) { - return ADCLI_SUCCESS; - } - - if (enroll->service_principals != NULL) { - length = seq_count (enroll->service_principals); - } - - for (c = 0; spn_list[c] != NULL; c++) { - _adcli_info ("Checking %s", spn_list[c]); - if (!_adcli_strv_has_ex (enroll->service_principals_to_remove, spn_list[c], strcasecmp)) { - enroll->service_principals = _adcli_strv_add_unique (enroll->service_principals, - strdup (spn_list[c]), - &length, false); - assert (enroll->service_principals != NULL); - _adcli_info (" Added %s", spn_list[c]); - } - } - _adcli_strv_free (spn_list); - - res = ensure_keytab_principals (ADCLI_SUCCESS, enroll); - if (res != ADCLI_SUCCESS) { - return res; - } - - return ADCLI_SUCCESS; -} - -static adcli_result enroll_join_or_update_tasks (adcli_enroll *enroll, adcli_enroll_flags flags) { adcli_result res; - krb5_kvno old_kvno = -1; if (!(flags & ADCLI_ENROLL_PASSWORD_VALID)) { - - /* Handle kvno changes for read-only domain controllers - * (RODC). Since the actual password change does not happen on - * the RODC the kvno change has to be replicated back which - * might take some time. So we check the kvno before and after - * the change if we are connected to a RODC and increment the - * kvno if needed. */ - if (!adcli_conn_is_writeable (enroll->conn)) { - if (enroll->computer_attributes == NULL) { - res = retrieve_computer_account (enroll); - if (res != ADCLI_SUCCESS) - return res; - } - old_kvno = adcli_enroll_get_kvno (enroll); - _adcli_info ("Found old kvno '%d'", old_kvno); - - ldap_msgfree (enroll->computer_attributes); - enroll->computer_attributes = NULL; - adcli_enroll_set_kvno (enroll, 0); - } - res = set_computer_password (enroll); if (res != ADCLI_SUCCESS) return res; @@ -2088,48 +1651,11 @@ enroll_join_or_update_tasks (adcli_enroll *enroll, return res; } - /* Handle kvno changes for read-only domain controllers (RODC) */ - if (!adcli_conn_is_writeable (enroll->conn) && old_kvno != -1 && - adcli_enroll_get_kvno (enroll) != 0 && - adcli_enroll_get_kvno (enroll) == old_kvno) { - enroll->kvno++; - _adcli_info ("No kvno change detected on read-only DC, kvno " - "will be incremented by 1 to '%d'", enroll->kvno); - } - /* We ignore failures of setting these fields */ update_and_calculate_enctypes (enroll); update_computer_account (enroll); - - res = add_server_side_service_principals (enroll); - if (res != ADCLI_SUCCESS) { - return res; - } - - /* service_names is only set from input on the command line, so no - * additional check for explicit is needed here */ - if (enroll->service_names != NULL) { - res = add_service_names_to_service_principals (enroll); - if (res != ADCLI_SUCCESS) { - return res; - } - res = ensure_keytab_principals (res, enroll); - if (res != ADCLI_SUCCESS) { - return res; - } - } - update_service_principals (enroll); - if ( (flags & ADCLI_ENROLL_ADD_SAMBA_DATA) && ! (flags & ADCLI_ENROLL_PASSWORD_VALID)) { - res = update_samba_data (enroll); - if (res != ADCLI_SUCCESS) { - _adcli_info ("Failed to add Samba specific data, smbd " - "or winbindd might not work as " - "expected.\n"); - } - } - if (flags & ADCLI_ENROLL_NO_KEYTAB) return ADCLI_SUCCESS; @@ -2138,7 +1664,7 @@ enroll_join_or_update_tasks (adcli_enroll *enroll, * that we use for salting. */ - return update_keytab_for_principals (enroll, flags); + return update_keytab_for_principals (enroll); } adcli_result @@ -2156,10 +1682,6 @@ adcli_enroll_join (adcli_enroll *enroll, if (res != ADCLI_SUCCESS) return res; - res = ensure_default_service_names (enroll); - if (res != ADCLI_SUCCESS) - return res; - res = adcli_enroll_prepare (enroll, flags); if (res != ADCLI_SUCCESS) return res; @@ -2195,11 +1717,12 @@ adcli_enroll_load (adcli_enroll *enroll) } adcli_result -adcli_enroll_read_computer_account (adcli_enroll *enroll, - adcli_enroll_flags flags) +adcli_enroll_update (adcli_enroll *enroll, + adcli_enroll_flags flags) { adcli_result res = ADCLI_SUCCESS; LDAP *ldap; + char *value; return_unexpected_if_fail (enroll != NULL); @@ -2229,18 +1752,7 @@ adcli_enroll_read_computer_account (adcli_enroll *enroll, } /* Get information about the computer account */ - return retrieve_computer_account (enroll); -} - -adcli_result -adcli_enroll_update (adcli_enroll *enroll, - adcli_enroll_flags flags) -{ - adcli_result res = ADCLI_SUCCESS; - LDAP *ldap; - char *value; - - res = adcli_enroll_read_computer_account (enroll, flags); + res = retrieve_computer_account (enroll); if (res != ADCLI_SUCCESS) return res; @@ -2253,14 +1765,7 @@ adcli_enroll_update (adcli_enroll *enroll, if (_adcli_check_nt_time_string_lifetime (value, adcli_enroll_get_computer_password_lifetime (enroll))) { - /* Do not update keytab if neither new service principals have - * to be added or deleted nor the user principal has to be changed. */ - if (enroll->service_names == NULL - && (enroll->user_principal == NULL || enroll->user_princpal_generate) - && enroll->service_principals_to_add == NULL - && enroll->service_principals_to_remove == NULL) { - flags |= ADCLI_ENROLL_NO_KEYTAB; - } + flags |= ADCLI_ENROLL_NO_KEYTAB; flags |= ADCLI_ENROLL_PASSWORD_VALID; } free (value); @@ -2269,35 +1774,6 @@ adcli_enroll_update (adcli_enroll *enroll, } adcli_result -adcli_enroll_show_computer_attribute (adcli_enroll *enroll) -{ - LDAP *ldap; - size_t c; - char **vals; - size_t v; - - ldap = adcli_conn_get_ldap_connection (enroll->conn); - assert (ldap != NULL); - - for (c = 0; default_ad_ldap_attrs[c] != NULL; c++) { - vals = _adcli_ldap_parse_values (ldap, - enroll->computer_attributes, - default_ad_ldap_attrs[c]); - printf ("%s:\n", default_ad_ldap_attrs[c]); - if (vals == NULL) { - printf (" - not set -\n"); - } else { - for (v = 0; vals[v] != NULL; v++) { - printf (" %s\n", vals[v]); - } - } - _adcli_strv_free (vals); - } - - return ADCLI_SUCCESS; -} - -adcli_result adcli_enroll_delete (adcli_enroll *enroll, adcli_enroll_flags delete_flags) { @@ -2405,9 +1881,6 @@ adcli_enroll_new (adcli_conn *conn) enroll->os_name = strdup (value); return_val_if_fail (enroll->os_name != NULL, NULL); - enroll->samba_data_tool = strdup (SAMBA_DATA_TOOL); - return_val_if_fail (enroll->samba_data_tool != NULL, NULL); - return enroll; } @@ -2435,7 +1908,6 @@ enroll_free (adcli_enroll *enroll) free (enroll->os_name); free (enroll->os_version); free (enroll->os_service_pack); - free (enroll->samba_data_tool); free (enroll->user_principal); _adcli_strv_free (enroll->service_names); @@ -2673,28 +2145,6 @@ adcli_enroll_set_keytab_name (adcli_enroll *enroll, enroll->keytab_name_is_krb5 = 0; } -#define PROC_SYS_FIPS "/proc/sys/crypto/fips_enabled" - -static bool adcli_fips_enabled (void) -{ - int fd; - ssize_t len; - char buf[8]; - - fd = open (PROC_SYS_FIPS, O_RDONLY); - if (fd != -1) { - len = read (fd, buf, sizeof (buf)); - close (fd); - /* Assume FIPS in enabled if PROC_SYS_FIPS contains a - * non-0 value. */ - if ( ! (len == 2 && buf[0] == '0' && buf[1] == '\n')) { - return true; - } - } - - return false; -} - krb5_enctype * adcli_enroll_get_keytab_enctypes (adcli_enroll *enroll) { @@ -2703,62 +2153,11 @@ adcli_enroll_get_keytab_enctypes (adcli_enroll *enroll) return enroll->keytab_enctypes; if (adcli_conn_server_has_capability (enroll->conn, ADCLI_CAP_V60_OID)) - if (adcli_fips_enabled ()) { - return v60_later_enctypes_fips; - } else { - return v60_later_enctypes; - } + return v60_later_enctypes; else return v51_earlier_enctypes; } -krb5_enctype * -adcli_enroll_get_permitted_keytab_enctypes (adcli_enroll *enroll) -{ - krb5_enctype *cur_enctypes; - krb5_enctype *permitted_enctypes; - krb5_enctype *new_enctypes; - krb5_error_code code; - krb5_context k5; - size_t c; - size_t p; - size_t n; - - return_val_if_fail (enroll != NULL, NULL); - cur_enctypes = adcli_enroll_get_keytab_enctypes (enroll); - - k5 = adcli_conn_get_krb5_context (enroll->conn); - return_val_if_fail (k5 != NULL, NULL); - - code = krb5_get_permitted_enctypes (k5, &permitted_enctypes); - return_val_if_fail (code == 0, NULL); - - for (c = 0; cur_enctypes[c] != 0; c++); - - new_enctypes = calloc (c + 1, sizeof (krb5_enctype)); - if (new_enctypes == NULL) { - krb5_free_enctypes (k5, permitted_enctypes); - return NULL; - } - - n = 0; - for (c = 0; cur_enctypes[c] != 0; c++) { - for (p = 0; permitted_enctypes[p] != 0; p++) { - if (cur_enctypes[c] == permitted_enctypes[p]) { - new_enctypes[n++] = cur_enctypes[c]; - break; - } - } - if (permitted_enctypes[p] == 0) { - _adcli_info ("Encryption type [%d] not permitted.", cur_enctypes[c]); - } - } - - krb5_free_enctypes (k5, permitted_enctypes); - - return new_enctypes; -} - void adcli_enroll_set_keytab_enctypes (adcli_enroll *enroll, krb5_enctype *value) @@ -2793,7 +2192,6 @@ adcli_enroll_set_os_name (adcli_enroll *enroll, if (value && value[0] == '\0') value = NULL; _adcli_str_set (&enroll->os_name, value); - enroll->os_name_explicit = 1; } const char * @@ -2811,7 +2209,6 @@ adcli_enroll_set_os_version (adcli_enroll *enroll, if (value && value[0] == '\0') value = NULL; _adcli_str_set (&enroll->os_version, value); - enroll->os_version_explicit = 1; } const char * @@ -2829,7 +2226,6 @@ adcli_enroll_set_os_service_pack (adcli_enroll *enroll, if (value && value[0] == '\0') value = NULL; _adcli_str_set (&enroll->os_service_pack, value); - enroll->os_service_pack_explicit = 1; } const char * @@ -2877,173 +2273,3 @@ adcli_enroll_set_computer_password_lifetime (adcli_enroll *enroll, enroll->computer_password_lifetime_explicit = 1; } - -void -adcli_enroll_set_samba_data_tool (adcli_enroll *enroll, const char *value) -{ - return_if_fail (enroll != NULL); - if (value != NULL && value[0] != '\0') { - _adcli_str_set (&enroll->samba_data_tool, value); - } -} - -const char * -adcli_enroll_get_samba_data_tool (adcli_enroll *enroll) -{ - return_val_if_fail (enroll != NULL, NULL); - return enroll->samba_data_tool; -} - -bool -adcli_enroll_get_trusted_for_delegation (adcli_enroll *enroll) -{ - return_val_if_fail (enroll != NULL, false); - - return enroll->trusted_for_delegation; -} - -void -adcli_enroll_set_trusted_for_delegation (adcli_enroll *enroll, - bool value) -{ - return_if_fail (enroll != NULL); - - enroll->trusted_for_delegation = value; - enroll->trusted_for_delegation_explicit = 1; -} - -void -adcli_enroll_set_description (adcli_enroll *enroll, const char *value) -{ - return_if_fail (enroll != NULL); - if (value != NULL && value[0] != '\0') { - _adcli_str_set (&enroll->description, value); - } -} - -const char * -adcli_enroll_get_desciption (adcli_enroll *enroll) -{ - return_val_if_fail (enroll != NULL, NULL); - return enroll->description; -} - -const char ** -adcli_enroll_get_service_principals_to_add (adcli_enroll *enroll) -{ - return_val_if_fail (enroll != NULL, NULL); - - return (const char **)enroll->service_principals_to_add; -} - -void -adcli_enroll_add_service_principal_to_add (adcli_enroll *enroll, - const char *value) -{ - return_if_fail (enroll != NULL); - return_if_fail (value != NULL); - - enroll->service_principals_to_add = _adcli_strv_add (enroll->service_principals_to_add, - strdup (value), NULL); - return_if_fail (enroll->service_principals_to_add != NULL); -} - -const char ** -adcli_enroll_get_service_principals_to_remove (adcli_enroll *enroll) -{ - return_val_if_fail (enroll != NULL, NULL); - - return (const char **)enroll->service_principals_to_remove; -} - -void -adcli_enroll_add_service_principal_to_remove (adcli_enroll *enroll, - const char *value) -{ - return_if_fail (enroll != NULL); - return_if_fail (value != NULL); - - enroll->service_principals_to_remove = _adcli_strv_add (enroll->service_principals_to_remove, - strdup (value), NULL); - return_if_fail (enroll->service_principals_to_remove != NULL); -} - -#ifdef ADENROLL_TESTS - -#include "test.h" - -static void -test_adcli_enroll_get_permitted_keytab_enctypes (void) -{ - krb5_enctype *enctypes; - krb5_error_code code; - krb5_enctype *permitted_enctypes; - krb5_enctype check_enctypes[3] = { 0 }; - adcli_conn *conn; - adcli_enroll *enroll; - adcli_result res; - krb5_context k5; - size_t c; - - conn = adcli_conn_new ("test.dom"); - assert_ptr_not_null (conn); - - enroll = adcli_enroll_new (conn); - assert_ptr_not_null (enroll); - - enctypes = adcli_enroll_get_permitted_keytab_enctypes (NULL); - assert_ptr_eq (enctypes, NULL); - - /* krb5 context missing */ - enctypes = adcli_enroll_get_permitted_keytab_enctypes (enroll); - assert_ptr_eq (enctypes, NULL); - - /* check that all permitted enctypes can pass */ - res = _adcli_krb5_init_context (&k5); - assert_num_eq (res, ADCLI_SUCCESS); - - adcli_conn_set_krb5_context (conn, k5); - - code = krb5_get_permitted_enctypes (k5, &permitted_enctypes); - assert_num_eq (code, 0); - assert_ptr_not_null (permitted_enctypes); - assert_num_cmp (permitted_enctypes[0], !=, 0); - - adcli_enroll_set_keytab_enctypes (enroll, permitted_enctypes); - - enctypes = adcli_enroll_get_permitted_keytab_enctypes (enroll); - assert_ptr_not_null (enctypes); - for (c = 0; permitted_enctypes[c] != 0; c++) { - assert_num_eq (enctypes[c], permitted_enctypes[c]); - } - assert_num_eq (enctypes[c], 0); - krb5_free_enctypes (k5, enctypes); - - /* check that ENCTYPE_UNKNOWN is filtered out */ - check_enctypes[0] = permitted_enctypes[0]; - check_enctypes[1] = ENCTYPE_UNKNOWN; - check_enctypes[2] = 0; - adcli_enroll_set_keytab_enctypes (enroll, check_enctypes); - - enctypes = adcli_enroll_get_permitted_keytab_enctypes (enroll); - assert_ptr_not_null (enctypes); - assert_num_eq (enctypes[0], permitted_enctypes[0]); - assert_num_eq (enctypes[1], 0); - krb5_free_enctypes (k5, enctypes); - - krb5_free_enctypes (k5, permitted_enctypes); - - adcli_enroll_unref (enroll); - adcli_conn_unref (conn); -} - -int -main (int argc, - char *argv[]) -{ - test_func (test_adcli_enroll_get_permitted_keytab_enctypes, - "/attrs/adcli_enroll_get_permitted_keytab_enctypes"); - return test_run (argc, argv); -} - -#endif /* ADENROLL_TESTS */ diff --git a/library/adenroll.h b/library/adenroll.h index 0606169..9a107ab 100644 --- a/library/adenroll.h +++ b/library/adenroll.h @@ -30,7 +30,6 @@ typedef enum { ADCLI_ENROLL_NO_KEYTAB = 1 << 1, ADCLI_ENROLL_ALLOW_OVERWRITE = 1 << 2, ADCLI_ENROLL_PASSWORD_VALID = 1 << 3, - ADCLI_ENROLL_ADD_SAMBA_DATA = 1 << 4, } adcli_enroll_flags; typedef struct _adcli_enroll adcli_enroll; @@ -46,11 +45,6 @@ adcli_result adcli_enroll_join (adcli_enroll *enroll, adcli_result adcli_enroll_update (adcli_enroll *enroll, adcli_enroll_flags flags); -adcli_result adcli_enroll_read_computer_account (adcli_enroll *enroll, - adcli_enroll_flags flags); - -adcli_result adcli_enroll_show_computer_attribute (adcli_enroll *enroll); - adcli_result adcli_enroll_delete (adcli_enroll *enroll, adcli_enroll_flags delete_flags); @@ -103,14 +97,6 @@ const char ** adcli_enroll_get_service_principals (adcli_enroll *enroll); void adcli_enroll_set_service_principals (adcli_enroll *enroll, const char **value); -const char ** adcli_enroll_get_service_principals_to_add (adcli_enroll *enroll); -void adcli_enroll_add_service_principal_to_add (adcli_enroll *enroll, - const char *value); - -const char ** adcli_enroll_get_service_principals_to_remove (adcli_enroll *enroll); -void adcli_enroll_add_service_principal_to_remove (adcli_enroll *enroll, - const char *value); - const char * adcli_enroll_get_user_principal (adcli_enroll *enroll); void adcli_enroll_set_user_principal (adcli_enroll *enroll, @@ -122,14 +108,6 @@ unsigned int adcli_enroll_get_computer_password_lifetime (adcli_enroll *en void adcli_enroll_set_computer_password_lifetime (adcli_enroll *enroll, unsigned int lifetime); -bool adcli_enroll_get_trusted_for_delegation (adcli_enroll *enroll); -void adcli_enroll_set_trusted_for_delegation (adcli_enroll *enroll, - bool value); - -const char * adcli_enroll_get_desciption (adcli_enroll *enroll); -void adcli_enroll_set_description (adcli_enroll *enroll, - const char *value); - krb5_kvno adcli_enroll_get_kvno (adcli_enroll *enroll); void adcli_enroll_set_kvno (adcli_enroll *enroll, @@ -147,8 +125,6 @@ krb5_enctype * adcli_enroll_get_keytab_enctypes (adcli_enroll *enroll); void adcli_enroll_set_keytab_enctypes (adcli_enroll *enroll, krb5_enctype *enctypes); -krb5_enctype * adcli_enroll_get_permitted_keytab_enctypes (adcli_enroll *enroll); - const char * adcli_enroll_get_os_name (adcli_enroll *enroll); void adcli_enroll_set_os_name (adcli_enroll *enroll, @@ -164,9 +140,4 @@ const char * adcli_enroll_get_os_service_pack (adcli_enroll *enroll); void adcli_enroll_set_os_service_pack (adcli_enroll *enroll, const char *value); -void adcli_enroll_set_samba_data_tool (adcli_enroll *enroll, - const char *value); - -const char * adcli_enroll_get_samba_data_tool (adcli_enroll *enroll); - #endif /* ADENROLL_H_ */ diff --git a/library/adentry.c b/library/adentry.c index 1cc0518..9b9e1c6 100644 --- a/library/adentry.c +++ b/library/adentry.c @@ -484,47 +484,3 @@ adcli_entry_new_group (adcli_conn *conn, return_val_if_fail (sam_name != NULL, NULL); return entry_new (conn, "group", group_entry_builder, sam_name); } - -adcli_result -adcli_get_nis_domain (adcli_entry *entry, - adcli_attrs *attrs) -{ - LDAP *ldap; - const char *ldap_attrs[] = { "cn", NULL }; - LDAPMessage *results; - LDAPMessage *ldap_entry; - char *base; - const char *filter = "objectClass=msSFU30DomainInfo"; - char *cn; - int ret; - - ldap = adcli_conn_get_ldap_connection (entry->conn); - return_unexpected_if_fail (ldap != NULL); - - if (asprintf (&base, "CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,%s", - adcli_conn_get_default_naming_context (entry->conn)) < 0) { - return_unexpected_if_reached (); - } - - ret = ldap_search_ext_s (ldap, base, LDAP_SCOPE_SUB, filter, (char **)ldap_attrs, - 0, NULL, NULL, NULL, -1, &results); - - free (base); - - if (ret != LDAP_SUCCESS) { - /* No NIS domain available */ - ldap_msgfree (results); - return ADCLI_SUCCESS; - } - - ldap_entry = ldap_first_entry (ldap, results); - if (ldap_entry != NULL) { - cn = _adcli_ldap_parse_value (ldap, ldap_entry, "cn"); - return_unexpected_if_fail (cn != NULL); - - adcli_attrs_add (attrs, "msSFU30NisDomain", cn, NULL); - } - ldap_msgfree (results); - - return ADCLI_SUCCESS; -} diff --git a/library/adentry.h b/library/adentry.h index ae90689..eb8bc00 100644 --- a/library/adentry.h +++ b/library/adentry.h @@ -58,6 +58,4 @@ const char * adcli_entry_get_sam_name (adcli_entry *entry); const char * adcli_entry_get_dn (adcli_entry *entry); -adcli_result adcli_get_nis_domain (adcli_entry *entry, - adcli_attrs *attrs); #endif /* ADENTRY_H_ */ diff --git a/library/adkrb5.c b/library/adkrb5.c index be3ede5..b0e903e 100644 --- a/library/adkrb5.c +++ b/library/adkrb5.c @@ -41,16 +41,12 @@ _adcli_krb5_build_principal (krb5_context k5, krb5_principal *principal) { krb5_error_code code; - char *name = NULL; + char *name; - /* Use user if user contains a @-character and add @realm otherwise */ - if (strchr (user, '@') == NULL) { - if (asprintf (&name, "%s@%s", user, realm) < 0) { - return_val_if_reached (ENOMEM); - } - } + if (asprintf (&name, "%s@%s", user, realm) < 0) + return_val_if_reached (ENOMEM); - code = krb5_parse_name (k5, name != NULL ? name : user, principal); + code = krb5_parse_name (k5, name, principal); return_val_if_fail (code == 0, code); free (name); @@ -208,118 +204,6 @@ _adcli_krb5_open_keytab (krb5_context k5, return ADCLI_SUCCESS; } -typedef struct { - krb5_kvno kvno; - krb5_enctype enctype; - int matched; -} match_enctype_kvno; - -static krb5_boolean -match_enctype_and_kvno (krb5_context k5, - krb5_keytab_entry *entry, - void *data) -{ - krb5_boolean similar = FALSE; - match_enctype_kvno *closure = data; - krb5_error_code code; - - assert (closure->enctype); - - code = krb5_c_enctype_compare (k5, closure->enctype, entry->key.enctype, - &similar); - - if (code == 0 && entry->vno == closure->kvno && similar) { - closure->matched = 1; - return 1; - } - - return 0; -} - -static krb5_error_code -_adcli_krb5_get_keyblock (krb5_context k5, - krb5_keytab keytab, - krb5_keyblock *keyblock, - krb5_boolean (* match_func) (krb5_context, - krb5_keytab_entry *, - void *), - void *match_data) -{ - krb5_kt_cursor cursor; - krb5_keytab_entry entry; - krb5_error_code code; - - code = krb5_kt_start_seq_get (k5, keytab, &cursor); - if (code == KRB5_KT_END || code == ENOENT) - return 0; - else if (code != 0) - return code; - - for (;;) { - code = krb5_kt_next_entry (k5, keytab, &entry, &cursor); - if (code != 0) - break; - - /* See if we should remove this entry */ - if (!match_func (k5, &entry, match_data)) { - krb5_free_keytab_entry_contents (k5, &entry); - continue; - } - - code = krb5_copy_keyblock_contents (k5, &entry.key, keyblock); - krb5_free_keytab_entry_contents (k5, &entry); - break; - - - } - - if (code == KRB5_KT_END) - code = 0; - - krb5_kt_end_seq_get (k5, keytab, &cursor); - return code; -} - -krb5_error_code -_adcli_krb5_keytab_copy_entries (krb5_context k5, - krb5_keytab keytab, - krb5_principal principal, - krb5_kvno kvno, - krb5_enctype *enctypes) -{ - krb5_keytab_entry entry; - krb5_error_code code; - int i; - match_enctype_kvno closure; - - for (i = 0; enctypes[i] != 0; i++) { - - closure.kvno = kvno; - closure.enctype = enctypes[i]; - closure.matched = 0; - - memset (&entry, 0, sizeof (entry)); - - code = _adcli_krb5_get_keyblock (k5, keytab, &entry.key, - match_enctype_and_kvno, &closure); - if (code != 0 || closure.matched == 0) { - return code != 0 ? code : ENOKEY; - } - - entry.principal = principal; - entry.vno = kvno; - - code = krb5_kt_add_entry (k5, keytab, &entry); - - entry.principal = NULL; - krb5_free_keytab_entry_contents (k5, &entry); - - if (code != 0) - return code; - } - - return 0; -} krb5_error_code _adcli_krb5_keytab_add_entries (krb5_context k5, @@ -395,33 +279,15 @@ _adcli_krb5_keytab_discover_salt (krb5_context k5, krb5_keytab scratch; krb5_error_code code; int i; - krb5_enctype *salt_enctypes = NULL; - size_t c; - size_t s; /* TODO: This should be a unique name */ code = krb5_kt_resolve (k5, "MEMORY:adcli-discover-salt", &scratch); return_val_if_fail (code == 0, code); - for (c = 0; enctypes[c] != 0; c++); /* count enctypes */ - salt_enctypes = calloc (c + 1, sizeof (krb5_enctype)); - return_val_if_fail (salt_enctypes != NULL, ENOMEM); - - /* ENCTYPE_ARCFOUR_HMAC does not use salts, so it cannot be used to - * discover the right salt. */ - s = 0; - for (c = 0; enctypes[c] != 0; c++) { - if (enctypes[c] == ENCTYPE_ARCFOUR_HMAC) { - continue; - } - - salt_enctypes[s++] = enctypes[c]; - } - for (i = 0; salts[i].data != NULL; i++) { code = _adcli_krb5_keytab_test_salt (k5, scratch, principal, kvno, - password, salt_enctypes, &salts[i]); + password, enctypes, &salts[i]); if (code == 0) { *discovered = i; break; @@ -430,7 +296,6 @@ _adcli_krb5_keytab_discover_salt (krb5_context k5, } } - free (salt_enctypes); krb5_kt_close (k5, scratch); return code; } diff --git a/library/adldap.c b/library/adldap.c index d93efb7..7c7a01b 100644 --- a/library/adldap.c +++ b/library/adldap.c @@ -67,30 +67,6 @@ _adcli_ldap_handle_failure (LDAP *ldap, return defres; } -char * -_adcli_ldap_parse_sid (LDAP *ldap, - LDAPMessage *results, - const char *attr_name) -{ - LDAPMessage *entry; - struct berval **bvs; - char *val = NULL; - - entry = ldap_first_entry (ldap, results); - if (entry != NULL) { - bvs = ldap_get_values_len (ldap, entry, attr_name); - if (bvs != NULL) { - if (bvs[0]) { - val = _adcli_bin_sid_to_str ( (uint8_t *) bvs[0]->bv_val, - bvs[0]->bv_len); - return_val_if_fail (val != NULL, NULL); - } - ldap_value_free_len (bvs); - } - } - - return val; -} char * _adcli_ldap_parse_value (LDAP *ldap, @@ -210,25 +186,17 @@ _adcli_ldap_have_in_mod (LDAPMod *mod, struct berval *vals; struct berval **pvals; int count = 0; - int count_have = 0; int i; int ret; - /* Count number of values */ - for (i = 0; mod->mod_vals.modv_strvals[i] != 0; i++) - count++; - for (i = 0; have[i] != 0; i++) - count_have++; - - /* If numbers different something has to be added or removed */ - if (count != count_have) { - return 0; - } - /* Already in berval format, just compare */ if (mod->mod_op & LDAP_MOD_BVALUES) return _adcli_ldap_have_vals (mod->mod_vals.modv_bvals, have); + /* Count number of values */ + for (i = 0; mod->mod_vals.modv_strvals[i] != 0; i++) + count++; + vals = malloc (sizeof (struct berval) * (count + 1)); pvals = malloc (sizeof (struct berval *) * (count + 1)); for (i = 0; i < count; i++) { diff --git a/library/adprivate.h b/library/adprivate.h index 55e6234..fc146af 100644 --- a/library/adprivate.h +++ b/library/adprivate.h @@ -31,7 +31,6 @@ #include #include #include -#include #include @@ -111,24 +110,11 @@ char ** _adcli_strv_add (char **strv, char *string, int *length) GNUC_WARN_UNUSED; -char ** _adcli_strv_add_unique (char **strv, - char *string, - int *length, - bool case_sensitive) GNUC_WARN_UNUSED; - -void _adcli_strv_remove_unsorted (char **strv, - const char *string, - int *length); - void _adcli_strv_free (char **strv); int _adcli_strv_has (char **strv, const char *str); -int _adcli_strv_has_ex (char **strv, - const char *str, - int (* compare) (const char *match, const char*value)); - char ** _adcli_strv_dup (char **strv) GNUC_WARN_UNUSED; char * _adcli_strv_join (char **strv, @@ -146,9 +132,6 @@ int _adcli_str_has_prefix (const char *str, int _adcli_str_has_suffix (const char *str, const char *suffix); -char * _adcli_bin_sid_to_str (const uint8_t *data, - size_t len); - char * _adcli_str_dupn (void *data, size_t len); @@ -187,10 +170,6 @@ adcli_result _adcli_ldap_handle_failure (LDAP *ldap, const char *desc, ...) GNUC_PRINTF(3, 4); -char * _adcli_ldap_parse_sid (LDAP *ldap, - LDAPMessage *results, - const char *attr_name); - char * _adcli_ldap_parse_value (LDAP *ldap, LDAPMessage *results, const char *attr_name); @@ -295,12 +274,6 @@ krb5_enctype * _adcli_krb5_parse_enctypes (const char *value); char * _adcli_krb5_format_enctypes (krb5_enctype *enctypes); -krb5_error_code _adcli_krb5_keytab_copy_entries (krb5_context k5, - krb5_keytab keytab, - krb5_principal principal, - krb5_kvno kvno, - krb5_enctype *enctypes); - struct _adcli_attrs { LDAPMod **mods; int len; @@ -308,10 +281,4 @@ struct _adcli_attrs { bool _adcli_check_nt_time_string_lifetime (const char *nt_time_string, unsigned int lifetime); -adcli_result _adcli_call_external_program (const char *binary, - char * const *argv, - const char *stdin_data, - uint8_t **stdout_data, - size_t *stdout_data_len); - #endif /* ADPRIVATE_H_ */ diff --git a/library/adutil.c b/library/adutil.c index 9b0c47f..21ccd27 100644 --- a/library/adutil.c +++ b/library/adutil.c @@ -36,7 +36,6 @@ #include #include #include -#include static adcli_message_func message_func = NULL; static char last_error[2048] = { 0, }; @@ -222,60 +221,19 @@ _adcli_strv_add (char **strv, } int -_adcli_strv_has_ex (char **strv, - const char *str, - int (* compare) (const char *match, const char*value)) +_adcli_strv_has (char **strv, + const char *str) { int i; for (i = 0; strv && strv[i] != NULL; i++) { - if (compare (strv[i], str) == 0) + if (strcmp (strv[i], str) == 0) return 1; } return 0; } -char ** -_adcli_strv_add_unique (char **strv, - char *string, - int *length, - bool case_sensitive) -{ - if (_adcli_strv_has_ex (strv, string, case_sensitive ? strcmp : strcasecmp) == 1) { - return strv; - } - - return _adcli_strv_add (strv, string, length); -} - -#define discard_const(ptr) ((void *)((uintptr_t)(ptr))) - -void -_adcli_strv_remove_unsorted (char **strv, - const char *string, - int *length) -{ - int len; - - return_if_fail (string != NULL); - - if (!length) { - len = seq_count (strv); - length = &len; - } - - return seq_remove_unsorted (strv, length, discard_const (string), - (seq_compar)strcasecmp, free); -} - -int -_adcli_strv_has (char **strv, - const char *str) -{ - return _adcli_strv_has_ex (strv, str, strcmp); -} - void _adcli_str_up (char *str) { @@ -336,83 +294,6 @@ _adcli_strv_set (char ***field, } char * -_adcli_bin_sid_to_str (const uint8_t *data, - size_t len) -{ - uint8_t sid_rev_num; - int8_t num_auths; - uint8_t id_auth[6]; - uint32_t id_auth_val; - uint32_t sub_auths[15]; - uint32_t val; - size_t p = 0; - size_t c; - int nc; - char *sid_buf; - size_t sid_buf_len; - - if (data == NULL || len < 8) { - return NULL; - } - - sid_rev_num = (uint8_t) data [p]; - p++; - - num_auths = (int8_t) data[p]; - p++; - - if (num_auths > 15 || len < 8 + (num_auths * sizeof (uint32_t))) { - return NULL; - } - - for (c = 0; c < 6; c++) { - id_auth[c] = (uint8_t) data[p]; - p++; - } - - /* Only 32bits are used for the string representation */ - id_auth_val = (id_auth[2] << 24) + - (id_auth[3] << 16) + - (id_auth[4] << 8) + - (id_auth[5]); - - for (c = 0; c < num_auths; c++) { - memcpy (&val, data + p, sizeof (uint32_t)); - sub_auths[c] = le32toh (val); - - p += sizeof (uint32_t); - } - - sid_buf_len = 17 + (num_auths * 11); - sid_buf = calloc (1, sid_buf_len); - if (sid_buf == NULL) { - return NULL; - } - - nc = snprintf (sid_buf, sid_buf_len, "S-%u-%lu", sid_rev_num, - (unsigned long) id_auth_val); - if (nc < 0 || nc >= sid_buf_len) { - free (sid_buf); - return NULL; - } - - p = 0; - for (c = 0; c < num_auths; c++) { - p += nc; - sid_buf_len -= nc; - - nc = snprintf (sid_buf + p, sid_buf_len, "-%lu", - (unsigned long) sub_auths[c]); - if (nc < 0 || nc >= sid_buf_len) { - free (sid_buf); - return NULL; - } - } - - return sid_buf; -} - -char * _adcli_str_dupn (void *data, size_t len) { @@ -548,161 +429,6 @@ _adcli_check_nt_time_string_lifetime (const char *nt_time_string, return false; } -adcli_result -_adcli_call_external_program (const char *binary, char * const *argv, - const char *stdin_data, - uint8_t **stdout_data, size_t *stdout_data_len) -{ - int ret; - int pipefd_to_child[2] = { -1, -1}; - int pipefd_from_child[2] = { -1, -1}; - pid_t child_pid = 0; - int err; - size_t len; - ssize_t rlen; - pid_t wret; - int status; - uint8_t read_buf[4096]; - uint8_t *out; - - errno = 0; - ret = access (binary, X_OK); - if (ret != 0) { - err = errno; - _adcli_err ("Cannot run [%s]: [%d][%s].", binary, err, - strerror (err)); - ret = ADCLI_ERR_FAIL; - goto done; - } - - ret = pipe (pipefd_from_child); - if (ret == -1) { - err = errno; - _adcli_err ("pipe failed [%d][%s].", err, strerror (err)); - ret = ADCLI_ERR_FAIL; - goto done; - } - - ret = pipe (pipefd_to_child); - if (ret == -1) { - err = errno; - _adcli_err ("pipe failed [%d][%s].", err, strerror (err)); - ret = ADCLI_ERR_FAIL; - goto done; - } - - child_pid = fork (); - - if (child_pid == 0) { /* child */ - close (pipefd_to_child[1]); - ret = dup2 (pipefd_to_child[0], STDIN_FILENO); - if (ret == -1) { - err = errno; - _adcli_err ("dup2 failed [%d][%s].", err, - strerror (err)); - exit (EXIT_FAILURE); - } - - close (pipefd_from_child[0]); - ret = dup2 (pipefd_from_child[1], STDOUT_FILENO); - if (ret == -1) { - err = errno; - _adcli_err ("dup2 failed [%d][%s].", err, - strerror (err)); - exit (EXIT_FAILURE); - } - - execv (binary, argv); - _adcli_err ("Failed to run %s.", binary); - ret = ADCLI_ERR_FAIL; - goto done; - } else if (child_pid > 0) { /* parent */ - - if (stdin_data != NULL) { - len = strlen (stdin_data); - ret = write (pipefd_to_child[1], stdin_data, len); - if (ret != len) { - _adcli_err ("Failed to send computer account password " - "to net command."); - ret = ADCLI_ERR_FAIL; - goto done; - } - } - - close (pipefd_to_child[0]); - pipefd_to_child[0] = -1; - close (pipefd_to_child[1]); - pipefd_to_child[0] = -1; - - if (stdout_data != NULL || stdout_data_len != NULL) { - rlen = read (pipefd_from_child[0], read_buf, sizeof (read_buf)); - if (rlen < 0) { - ret = errno; - _adcli_err ("Failed to read from child [%d][%s].\n", - ret, strerror (ret)); - ret = ADCLI_ERR_FAIL; - goto done; - } - - out = malloc (sizeof(uint8_t) * rlen); - if (out == NULL) { - _adcli_err ("Failed to allocate memory " - "for child output."); - ret = ADCLI_ERR_FAIL; - goto done; - } else { - memcpy (out, read_buf, rlen); - } - - if (stdout_data != NULL) { - *stdout_data = out; - } else { - free (out); - } - - if (stdout_data_len != NULL) { - *stdout_data_len = rlen; - } - } - - } else { - _adcli_err ("Cannot run net command."); - ret = ADCLI_ERR_FAIL; - goto done; - } - - ret = ADCLI_SUCCESS; - -done: - if (pipefd_from_child[0] != -1) { - close (pipefd_from_child[0]); - } - if (pipefd_from_child[1] != -1) { - close (pipefd_from_child[1]); - } - if (pipefd_to_child[0] != -1) { - close (pipefd_to_child[0]); - } - if (pipefd_to_child[1] != -1) { - close (pipefd_to_child[1]); - } - - if (child_pid > 0) { - wret = waitpid (child_pid, &status, 0); - if (wret == -1) { - _adcli_err ("No sure what happend to net command."); - } else { - if (WIFEXITED (status) && WEXITSTATUS (status) != 0) { - _adcli_err ("net command failed with %d.", - WEXITSTATUS (status)); - } - } - } - - return ret; -} - - #ifdef UTIL_TESTS #include "test.h" @@ -725,32 +451,6 @@ test_strv_add_free (void) } static void -test_strv_add_unique_free (void) -{ - char **strv = NULL; - - strv = _adcli_strv_add_unique (strv, strdup ("one"), NULL, false); - strv = _adcli_strv_add_unique (strv, strdup ("one"), NULL, false); - strv = _adcli_strv_add_unique (strv, strdup ("two"), NULL, false); - strv = _adcli_strv_add_unique (strv, strdup ("two"), NULL, false); - strv = _adcli_strv_add_unique (strv, strdup ("tWo"), NULL, false); - strv = _adcli_strv_add_unique (strv, strdup ("three"), NULL, false); - strv = _adcli_strv_add_unique (strv, strdup ("three"), NULL, false); - strv = _adcli_strv_add_unique (strv, strdup ("TWO"), NULL, true); - - assert_num_eq (_adcli_strv_len (strv), 4); - - assert_str_eq (strv[0], "one"); - assert_str_eq (strv[1], "two"); - assert_str_eq (strv[2], "three"); - assert_str_eq (strv[3], "TWO"); - assert (strv[4] == NULL); - - _adcli_strv_free (strv); -} - - -static void test_strv_dup (void) { char *values[] = { "one", "two", "three", NULL }; @@ -801,113 +501,20 @@ test_check_nt_time_string_lifetime (void) (time (NULL) + 10 + AD_TO_UNIX_TIME_CONST) * 1000 * 1000 *10) != -1); assert (!_adcli_check_nt_time_string_lifetime (time_str, 0)); - free (time_str); /* This test will fail some time after 2200AD as a reminder to reflect * why adcli is still needed. */ assert (_adcli_check_nt_time_string_lifetime ("130645404000000000", 100000)); } -static void -test_bin_sid_to_str (void) -{ - uint8_t sid1[] = { 0x01, 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, - 0x15, 0x00, 0x00, 0x00, 0xF8, 0x12, 0x13, 0xDC, - 0x47, 0xF3, 0x1C, 0x76, 0x47, 0x2F, 0x2E, 0xD7, - 0x51, 0x04, 0x00, 0x00 }; - - uint8_t sid2[] = { 0x01, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, - 0x15, 0x00, 0x00, 0x00, 0xF8, 0x12, 0x13, 0xDC, - 0x47, 0xF3, 0x1C, 0x76, 0x47, 0x2F, 0x2E, 0xD7}; - - uint8_t sid3[] = { 0x01, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, - 0x15, 0x00, 0x00, 0x00, 0x29, 0xC9, 0x4F, 0xD9, - 0xC2, 0x3C, 0xC3, 0x78, 0x36, 0x55, 0x87, 0xF8}; - - - char *str; - - str = _adcli_bin_sid_to_str (sid1, sizeof (sid1)); - assert (str != NULL); - assert (strcmp (str, "S-1-5-21-3692237560-1981608775-3610128199-1105") == 0); - free (str); - - str = _adcli_bin_sid_to_str (sid2, sizeof (sid2)); - assert (str != NULL); - assert (strcmp (str, "S-1-5-21-3692237560-1981608775-3610128199") == 0); - free (str); - - str = _adcli_bin_sid_to_str (sid3, sizeof (sid2)); - assert (str != NULL); - assert (strcmp (str, "S-1-5-21-3645884713-2026060994-4169618742") == 0); - free (str); -} - -static void -test_call_external_program (void) -{ - adcli_result res; - char *argv[] = { NULL, NULL, NULL }; - uint8_t *stdout_data; - size_t stdout_data_len; - - argv[0] = "/does/not/exists"; - res = _adcli_call_external_program (argv[0], argv, NULL, NULL, NULL); - assert (res == ADCLI_ERR_FAIL); - -#ifdef BIN_CAT - argv[0] = BIN_CAT; - res = _adcli_call_external_program (argv[0], argv, "Hello", - &stdout_data, &stdout_data_len); - assert (res == ADCLI_SUCCESS); - assert (strncmp ("Hello", (char *) stdout_data, stdout_data_len) == 0); - free (stdout_data); - - res = _adcli_call_external_program (argv[0], argv, "Hello", - NULL, NULL); - assert (res == ADCLI_SUCCESS); -#endif - -#ifdef BIN_REV - argv[0] = BIN_REV; - res = _adcli_call_external_program (argv[0], argv, "Hello\n", - &stdout_data, &stdout_data_len); - assert (res == ADCLI_SUCCESS); - assert (strncmp ("olleH\n", (char *) stdout_data, stdout_data_len) == 0); - free (stdout_data); -#endif - -#ifdef BIN_TAC - argv[0] = BIN_TAC; - res = _adcli_call_external_program (argv[0], argv, "Hello\nWorld\n", - &stdout_data, &stdout_data_len); - assert (res == ADCLI_SUCCESS); - assert (strncmp ("World\nHello\n", (char *) stdout_data, stdout_data_len) == 0); - free (stdout_data); -#endif - -#ifdef BIN_ECHO - argv[0] = BIN_ECHO; - argv[1] = "Hello"; - res = _adcli_call_external_program (argv[0], argv, NULL, - &stdout_data, &stdout_data_len); - assert (res == ADCLI_SUCCESS); - assert (strncmp ("Hello\n", (char *) stdout_data, stdout_data_len) == 0); - free (stdout_data); -#endif -} - int main (int argc, char *argv[]) { test_func (test_strv_add_free, "/util/strv_add_free"); - test_func (test_strv_add_unique_free, "/util/strv_add_unique_free"); test_func (test_strv_dup, "/util/strv_dup"); test_func (test_strv_count, "/util/strv_count"); test_func (test_check_nt_time_string_lifetime, "/util/check_nt_time_string_lifetime"); - test_func (test_bin_sid_to_str, "/util/bin_sid_to_str"); - test_func (test_call_external_program, "/util/call_external_program"); return test_run (argc, argv); } diff --git a/library/seq.c b/library/seq.c index 8e7475d..627dcaf 100644 --- a/library/seq.c +++ b/library/seq.c @@ -112,24 +112,6 @@ seq_push (seq_voidp sequence, } static int -linear_search (void **seq, - int low, - int high, - void *match, - seq_compar compar) -{ - int at; - - for (at = low; at < high; at++) { - if (compar (match, seq[at]) == 0) { - break; - } - } - - return at; -} - -static int binary_search (void **seq, int low, int high, @@ -189,13 +171,12 @@ seq_insert (seq_voidp sequence, return seq; } -static void -seq_remove_int (seq_voidp sequence, - int *length, - void *match, - seq_search search, - seq_compar compar, - seq_destroy destroy) +void +seq_remove (seq_voidp sequence, + int *length, + void *match, + seq_compar compar, + seq_destroy destroy) { void **seq = sequence; int at; @@ -206,7 +187,7 @@ seq_remove_int (seq_voidp sequence, assert (match != NULL); len = *length; - at = search (seq, 0, len, match, compar); + at = binary_search (seq, 0, len, match, compar); /* We have a matching value */ if (at < len && compar (match, seq[at]) == 0) { @@ -221,26 +202,6 @@ seq_remove_int (seq_voidp sequence, } void -seq_remove (seq_voidp sequence, - int *length, - void *match, - seq_compar compar, - seq_destroy destroy) -{ - return seq_remove_int (sequence, length, match, binary_search, compar, destroy); -} - -void -seq_remove_unsorted (seq_voidp sequence, - int *length, - void *match, - seq_compar compar, - seq_destroy destroy) -{ - return seq_remove_int (sequence, length, match, linear_search, compar, destroy); -} - -void seq_filter (seq_voidp sequence, int *length, void *match, @@ -469,99 +430,6 @@ test_remove (void) seq_free (seq, NULL); } -static void -test_remove_unsorted (void) -{ - void **seq = NULL; - int len = 0; - - seq = seq_push (seq, &len, "3"); - seq = seq_push (seq, &len, "5"); - seq = seq_push (seq, &len, "1"); - seq = seq_push (seq, &len, "4"); - seq = seq_push (seq, &len, "2"); - - assert_str_eq (seq[0], "3"); - assert_str_eq (seq[1], "5"); - assert_str_eq (seq[2], "1"); - assert_str_eq (seq[3], "4"); - assert_str_eq (seq[4], "2"); - assert (seq[5] == NULL); - assert_num_eq (len, 5); - - seq_remove_unsorted (seq, &len, "3", (seq_compar)strcmp, NULL); - seq_remove_unsorted (seq, &len, "2", (seq_compar)strcmp, NULL); - - assert_str_eq (seq[0], "5"); - assert_str_eq (seq[1], "1"); - assert_str_eq (seq[2], "4"); - assert (seq[3] == NULL); - assert_num_eq (len, 3); - - seq_free (seq, NULL); -} - -static void -test_remove_first (void) -{ - void **seq = NULL; - int len = 0; - - seq = seq_insert (seq, &len, "3", (seq_compar)strcmp, NULL); - seq = seq_insert (seq, &len, "5", (seq_compar)strcmp, NULL); - seq = seq_insert (seq, &len, "1", (seq_compar)strcmp, NULL); - seq = seq_insert (seq, &len, "4", (seq_compar)strcmp, NULL); - seq = seq_insert (seq, &len, "2", (seq_compar)strcmp, NULL); - - assert_str_eq (seq[0], "1"); - assert_str_eq (seq[1], "2"); - assert_str_eq (seq[2], "3"); - assert_str_eq (seq[3], "4"); - assert_str_eq (seq[4], "5"); - assert (seq[5] == NULL); - assert_num_eq (len, 5); - - seq_remove (seq, &len, "1", (seq_compar)strcmp, NULL); - - assert_str_eq (seq[0], "2"); - assert_str_eq (seq[1], "3"); - assert_str_eq (seq[2], "4"); - assert_str_eq (seq[3], "5"); - assert (seq[4] == NULL); - assert_num_eq (len, 4); - - seq_free (seq, NULL); -} - -static void -test_remove_last (void) -{ - void **seq = NULL; - int len = 0; - - seq = seq_insert (seq, &len, "3", (seq_compar)strcmp, NULL); - seq = seq_insert (seq, &len, "1", (seq_compar)strcmp, NULL); - seq = seq_insert (seq, &len, "4", (seq_compar)strcmp, NULL); - seq = seq_insert (seq, &len, "2", (seq_compar)strcmp, NULL); - - assert_str_eq (seq[0], "1"); - assert_str_eq (seq[1], "2"); - assert_str_eq (seq[2], "3"); - assert_str_eq (seq[3], "4"); - assert (seq[4] == NULL); - assert_num_eq (len, 4); - - seq_remove (seq, &len, "4", (seq_compar)strcmp, NULL); - - assert_str_eq (seq[0], "1"); - assert_str_eq (seq[1], "2"); - assert_str_eq (seq[2], "3"); - assert (seq[3] == NULL); - assert_num_eq (len, 3); - - seq_free (seq, NULL); -} - static int compar_even (void *match, void *value) @@ -763,9 +631,6 @@ main (int argc, test_func (test_insert, "/seq/insert"); test_func (test_insert_destroys, "/seq/insert_destroys"); test_func (test_remove, "/seq/remove"); - test_func (test_remove_unsorted, "/seq/remove_unsorted"); - test_func (test_remove_first, "/seq/remove_first"); - test_func (test_remove_last, "/seq/remove_last"); test_func (test_remove_destroys, "/seq/remove_destroys"); test_func (test_filter, "/seq/filter"); test_func (test_filter_null, "/seq/filter_null"); diff --git a/library/seq.h b/library/seq.h index 5d48848..694965b 100644 --- a/library/seq.h +++ b/library/seq.h @@ -44,12 +44,6 @@ typedef void * (* seq_copy) (void *value); typedef void (* seq_destroy) (void *value); -typedef int (* seq_search) (void **seq, - int low, - int high, - void *match, - seq_compar compar); - seq_voidp seq_push (seq_voidp seq, int *length, void *value) WARN_UNUSED; @@ -68,12 +62,6 @@ void seq_remove (seq_voidp seq, seq_compar compar, seq_destroy destroy); -void seq_remove_unsorted (seq_voidp seq, - int *length, - void *match, - seq_compar compar, - seq_destroy destroy); - seq_voidp seq_lookup (seq_voidp seq, int *length, void *match, diff --git a/tools/computer.c b/tools/computer.c index a98ae5b..d8a58c9 100644 --- a/tools/computer.c +++ b/tools/computer.c @@ -30,7 +30,6 @@ #include #include #include -#include static void dump_details (adcli_conn *conn, @@ -44,7 +43,6 @@ dump_details (adcli_conn *conn, printf ("domain-realm = %s\n", adcli_conn_get_domain_realm (conn)); printf ("domain-controller = %s\n", adcli_conn_get_domain_controller (conn)); printf ("domain-short = %s\n", adcli_conn_get_domain_short (conn)); - printf ("domain-SID = %s\n", adcli_conn_get_domain_sid (conn)); printf ("naming-context = %s\n", adcli_conn_get_default_naming_context (conn)); printf ("domain-ou = %s\n", adcli_enroll_get_domain_ou (enroll)); @@ -107,20 +105,12 @@ typedef enum { opt_os_service_pack, opt_user_principal, opt_computer_password_lifetime, - opt_add_samba_data, - opt_samba_data_tool, - opt_trusted_for_delegation, - opt_add_service_principal, - opt_remove_service_principal, - opt_description, - opt_use_ldaps, } Option; static adcli_tool_desc common_usages[] = { { opt_domain, "active directory domain name" }, { opt_domain_realm, "kerberos realm for the domain" }, { opt_domain_controller, "domain controller to connect to" }, - { opt_use_ldaps, "use LDAPS port for communication" }, { opt_host_fqdn, "override the fully qualified domain name of the\n" "local machine" }, { opt_host_keytab, "filename for the host kerberos keytab" }, @@ -141,11 +131,6 @@ static adcli_tool_desc common_usages[] = { { opt_os_service_pack, "the computer operating system service pack", }, { opt_user_principal, "add an authentication principal to the account", }, { opt_computer_password_lifetime, "lifetime of the host accounts password in days", }, - { opt_trusted_for_delegation, "set/unset the TRUSTED_FOR_DELEGATION flag\n" - "in the userAccountControl attribute", }, - { opt_add_service_principal, "add the given service principal to the account\n" }, - { opt_remove_service_principal, "remove the given service principal from the account\n" }, - { opt_description, "add a description to the account\n" }, { opt_no_password, "don't prompt for or read a password" }, { opt_prompt_password, "prompt for a password if necessary" }, { opt_stdin_password, "read a password from stdin (until EOF) if\n" @@ -156,14 +141,11 @@ static adcli_tool_desc common_usages[] = { "a successful join" }, { opt_show_password, "show computer account password after after a\n" "successful join" }, - { opt_add_samba_data, "add domain SID and computer account password\n" - "to the Samba specific configuration database" }, - { opt_samba_data_tool, "Absolute path to the tool used for add-samba-data" }, { opt_verbose, "show verbose progress and failure messages", }, { 0 }, }; -static int +static void parse_option (Option opt, const char *optarg, adcli_conn *conn, @@ -174,162 +156,123 @@ parse_option (Option opt, static int stdin_password = 0; char *endptr; unsigned int lifetime; - int ret; switch (opt) { case opt_login_ccache: adcli_conn_set_login_ccache_name (conn, optarg ? optarg : ""); - return ADCLI_SUCCESS; + return; case opt_login_user: if (adcli_conn_get_allowed_login_types (conn) & ADCLI_LOGIN_USER_ACCOUNT) { adcli_conn_set_login_user (conn, optarg); adcli_conn_set_allowed_login_types (conn, ADCLI_LOGIN_USER_ACCOUNT); } else { - warnx ("cannot set --user if --login-type not set to 'user'"); - return EUSAGE; + errx (EUSAGE, "cannot set --user if --login-type not set to 'user'"); } - return ADCLI_SUCCESS; + return; case opt_login_type: if (optarg && strcmp (optarg, "computer") == 0) { - if (adcli_conn_get_login_user (conn) != NULL) { - warnx ("cannot set --login-type to 'computer' if --user is set"); - return EUSAGE; - } else + if (adcli_conn_get_login_user (conn) != NULL) + errx (EUSAGE, "cannot set --login-type to 'computer' if --user is set"); + else adcli_conn_set_allowed_login_types (conn, ADCLI_LOGIN_COMPUTER_ACCOUNT); } else if (optarg && strcmp (optarg, "user") == 0) { adcli_conn_set_allowed_login_types (conn, ADCLI_LOGIN_USER_ACCOUNT); } else { - warnx ("unknown login type '%s'", optarg); - return EUSAGE; + errx (EUSAGE, "unknown login type '%s'", optarg); } - return ADCLI_SUCCESS; + return; case opt_host_fqdn: adcli_conn_set_host_fqdn (conn, optarg); - return ADCLI_SUCCESS; + return; case opt_host_keytab: adcli_enroll_set_keytab_name (enroll, optarg); - return ADCLI_SUCCESS; + return; case opt_computer_name: adcli_conn_set_computer_name (conn, optarg); adcli_enroll_set_computer_name (enroll, optarg); - return ADCLI_SUCCESS; + return; case opt_domain: adcli_conn_set_domain_name (conn, optarg); - return ADCLI_SUCCESS; + return; case opt_domain_realm: adcli_conn_set_domain_realm (conn, optarg); - return ADCLI_SUCCESS; + return; case opt_domain_controller: adcli_conn_set_domain_controller (conn, optarg); - return ADCLI_SUCCESS; + return; case opt_domain_ou: adcli_enroll_set_domain_ou (enroll, optarg); - return ADCLI_SUCCESS; + return; case opt_service_name: adcli_enroll_add_service_name (enroll, optarg); - return ADCLI_SUCCESS; + return; case opt_no_password: if (stdin_password || prompt_password) { - warnx ("cannot use --no-password argument with %s", - stdin_password ? "--stdin-password" : "--prompt-password"); - return EUSAGE; + errx (EUSAGE, "cannot use --no-password argument with %s", + stdin_password ? "--stdin-password" : "--prompt-password"); } else { adcli_conn_set_password_func (conn, NULL, NULL, NULL); no_password = 1; } - return ADCLI_SUCCESS; + return; case opt_prompt_password: if (stdin_password || no_password) { - warnx ("cannot use --prompt-password argument with %s", - stdin_password ? "--stdin-password" : "--no-password"); - return EUSAGE; + errx (EUSAGE, "cannot use --prompt-password argument with %s", + stdin_password ? "--stdin-password" : "--no-password"); } else { adcli_conn_set_password_func (conn, adcli_prompt_password_func, NULL, NULL); prompt_password = 1; } - return ADCLI_SUCCESS; + return; case opt_stdin_password: if (prompt_password || no_password) { - warnx ("cannot use --stdin-password argument with %s", - prompt_password ? "--prompt-password" : "--no-password"); - return EUSAGE; + errx (EUSAGE, "cannot use --stdin-password argument with %s", + prompt_password ? "--prompt-password" : "--no-password"); } else { adcli_conn_set_password_func (conn, adcli_read_password_func, NULL, NULL); stdin_password = 1; } - return ADCLI_SUCCESS; + return; case opt_os_name: adcli_enroll_set_os_name (enroll, optarg); - return ADCLI_SUCCESS; + return; case opt_os_version: adcli_enroll_set_os_version (enroll, optarg); - return ADCLI_SUCCESS; + return; case opt_os_service_pack: adcli_enroll_set_os_service_pack (enroll, optarg); - return ADCLI_SUCCESS; + return; case opt_user_principal: if (optarg && optarg[0]) adcli_enroll_set_user_principal (enroll, optarg); else adcli_enroll_auto_user_principal (enroll); - return ADCLI_SUCCESS; + return; case opt_computer_password_lifetime: errno = 0; lifetime = strtoul (optarg, &endptr, 10); if (errno != 0 || *endptr != '\0' || endptr == optarg) { - warnx ("failure to parse value '%s' of option 'computer-password-lifetime'; " - "expecting non-negative integer indicating the lifetime in days", - optarg); - return EUSAGE; + errx (EUSAGE, + "failure to parse value '%s' of option 'computer-password-lifetime'; " + "expecting non-negative integer indicating the lifetime in days", + optarg); } adcli_enroll_set_computer_password_lifetime (enroll, lifetime); - return ADCLI_SUCCESS; - case opt_samba_data_tool: - errno = 0; - ret = access (optarg, X_OK); - if (ret != 0) { - ret = errno; - warnx ("Failed to access tool to add Samba data: %s", strerror (ret)); - return EUSAGE; - } else { - adcli_enroll_set_samba_data_tool (enroll, optarg); - } - return ADCLI_SUCCESS; - case opt_trusted_for_delegation: - if (strcasecmp (optarg, "true") == 0 || strcasecmp (optarg, "yes") == 0) { - adcli_enroll_set_trusted_for_delegation (enroll, true); - } else { - adcli_enroll_set_trusted_for_delegation (enroll, false); - } - return ADCLI_SUCCESS; - case opt_add_service_principal: - adcli_enroll_add_service_principal_to_add (enroll, optarg); - return ADCLI_SUCCESS; - case opt_remove_service_principal: - adcli_enroll_add_service_principal_to_remove (enroll, optarg); - return ADCLI_SUCCESS; - case opt_description: - adcli_enroll_set_description (enroll, optarg); - return ADCLI_SUCCESS; - case opt_use_ldaps: - adcli_conn_set_use_ldaps (conn, true); - return ADCLI_SUCCESS; + return; case opt_verbose: - return ADCLI_SUCCESS; + return; /* Should be handled by caller */ case opt_show_details: case opt_show_password: case opt_one_time_password: - case opt_add_samba_data: assert (0 && "not reached"); break; } - warnx ("failure to parse option '%c'", opt); - return EUSAGE; + errx (EUSAGE, "failure to parse option '%c'", opt); } static void @@ -362,7 +305,6 @@ adcli_tool_computer_join (adcli_conn *conn, { "domain-realm", required_argument, NULL, opt_domain_realm }, { "domain-controller", required_argument, NULL, opt_domain_controller }, { "domain-server", required_argument, NULL, opt_domain_controller }, /* compat */ - { "use-ldaps", no_argument, 0, opt_use_ldaps }, { "login-user", required_argument, NULL, opt_login_user }, { "user", required_argument, NULL, opt_login_user }, /* compat */ { "login-ccache", optional_argument, NULL, opt_login_ccache }, @@ -380,14 +322,9 @@ adcli_tool_computer_join (adcli_conn *conn, { "os-name", required_argument, NULL, opt_os_name }, { "os-version", required_argument, NULL, opt_os_version }, { "os-service-pack", optional_argument, NULL, opt_os_service_pack }, - { "description", optional_argument, NULL, opt_description }, { "user-principal", optional_argument, NULL, opt_user_principal }, - { "trusted-for-delegation", required_argument, NULL, opt_trusted_for_delegation }, - { "add-service-principal", required_argument, NULL, opt_add_service_principal }, { "show-details", no_argument, NULL, opt_show_details }, { "show-password", no_argument, NULL, opt_show_password }, - { "add-samba-data", no_argument, NULL, opt_add_samba_data }, - { "samba-data-tool", no_argument, NULL, opt_samba_data_tool }, { "verbose", no_argument, NULL, opt_verbose }, { "help", no_argument, NULL, 'h' }, { 0 }, @@ -399,10 +336,8 @@ adcli_tool_computer_join (adcli_conn *conn, }; enroll = adcli_enroll_new (conn); - if (enroll == NULL) { - warnx ("unexpected memory problems"); - return -1; - } + if (enroll == NULL) + errx (-1, "unexpected memory problems"); while ((opt = adcli_tool_getopt (argc, argv, options)) != -1) { switch (opt) { @@ -416,9 +351,6 @@ adcli_tool_computer_join (adcli_conn *conn, case opt_show_password: show_password = 1; break; - case opt_add_samba_data: - flags |= ADCLI_ENROLL_ADD_SAMBA_DATA; - break; case 'h': case '?': case ':': @@ -427,11 +359,7 @@ adcli_tool_computer_join (adcli_conn *conn, adcli_enroll_unref (enroll); return opt == 'h' ? 0 : 2; default: - res = parse_option ((Option)opt, optarg, conn, enroll); - if (res != ADCLI_SUCCESS) { - adcli_enroll_unref (enroll); - return res; - } + parse_option ((Option)opt, optarg, conn, enroll); break; } } @@ -441,28 +369,21 @@ adcli_tool_computer_join (adcli_conn *conn, if (argc == 1) adcli_conn_set_domain_name (conn, argv[0]); - else if (argc > 1) { - warnx ("extra arguments specified"); - adcli_enroll_unref (enroll); - return 2; - } + else if (argc > 1) + errx (2, "extra arguments specified"); res = adcli_conn_connect (conn); if (res != ADCLI_SUCCESS) { - warnx ("couldn't connect to %s domain: %s", - adcli_conn_get_domain_name (conn), - adcli_get_last_error ()); - adcli_enroll_unref (enroll); - return -res; + errx (-res, "couldn't connect to %s domain: %s", + adcli_conn_get_domain_name (conn), + adcli_get_last_error ()); } res = adcli_enroll_join (enroll, flags); if (res != ADCLI_SUCCESS) { - warnx ("joining domain %s failed: %s", - adcli_conn_get_domain_name (conn), - adcli_get_last_error ()); - adcli_enroll_unref (enroll); - return -res; + errx (-res, "joining domain %s failed: %s", + adcli_conn_get_domain_name (conn), + adcli_get_last_error ()); } if (details) @@ -499,16 +420,10 @@ adcli_tool_computer_update (adcli_conn *conn, { "os-name", required_argument, NULL, opt_os_name }, { "os-version", required_argument, NULL, opt_os_version }, { "os-service-pack", optional_argument, NULL, opt_os_service_pack }, - { "description", optional_argument, NULL, opt_description }, { "user-principal", optional_argument, NULL, opt_user_principal }, { "computer-password-lifetime", optional_argument, NULL, opt_computer_password_lifetime }, - { "trusted-for-delegation", required_argument, NULL, opt_trusted_for_delegation }, - { "add-service-principal", required_argument, NULL, opt_add_service_principal }, - { "remove-service-principal", required_argument, NULL, opt_remove_service_principal }, { "show-details", no_argument, NULL, opt_show_details }, { "show-password", no_argument, NULL, opt_show_password }, - { "add-samba-data", no_argument, NULL, opt_add_samba_data }, - { "samba-data-tool", no_argument, NULL, opt_samba_data_tool }, { "verbose", no_argument, NULL, opt_verbose }, { "help", no_argument, NULL, 'h' }, { 0 }, @@ -520,10 +435,8 @@ adcli_tool_computer_update (adcli_conn *conn, }; enroll = adcli_enroll_new (conn); - if (enroll == NULL) { - warnx ("unexpected memory problems"); - return -1; - } + if (enroll == NULL) + errx (-1, "unexpected memory problems"); while ((opt = adcli_tool_getopt (argc, argv, options)) != -1) { switch (opt) { @@ -533,9 +446,6 @@ adcli_tool_computer_update (adcli_conn *conn, case opt_show_password: show_password = 1; break; - case opt_add_samba_data: - flags |= ADCLI_ENROLL_ADD_SAMBA_DATA; - break; case 'h': case '?': case ':': @@ -544,11 +454,7 @@ adcli_tool_computer_update (adcli_conn *conn, adcli_enroll_unref (enroll); return opt == 'h' ? 0 : 2; default: - res = parse_option ((Option)opt, optarg, conn, enroll); - if (res != ADCLI_SUCCESS) { - adcli_enroll_unref (enroll); - return res; - } + parse_option ((Option)opt, optarg, conn, enroll); break; } } @@ -565,28 +471,22 @@ adcli_tool_computer_update (adcli_conn *conn, res = adcli_enroll_load (enroll); if (res != ADCLI_SUCCESS) { - warnx ("couldn't lookup domain info from keytab: %s", - adcli_get_last_error ()); - adcli_enroll_unref (enroll); - return -res; + errx (-res, "couldn't lookup domain info from keytab: %s", + adcli_get_last_error ()); } res = adcli_conn_connect (conn); if (res != ADCLI_SUCCESS) { - warnx ("couldn't connect to %s domain: %s", - adcli_conn_get_domain_name (conn), - adcli_get_last_error ()); - adcli_enroll_unref (enroll); - return -res; + errx (-res, "couldn't connect to %s domain: %s", + adcli_conn_get_domain_name (conn), + adcli_get_last_error ()); } res = adcli_enroll_update (enroll, flags); if (res != ADCLI_SUCCESS) { - warnx ("updating membership with domain %s failed: %s", - adcli_conn_get_domain_name (conn), - adcli_get_last_error ()); - adcli_enroll_unref (enroll); - return -res; + errx (-res, "updating membership with domain %s failed: %s", + adcli_conn_get_domain_name (conn), + adcli_get_last_error ()); } if (details) @@ -599,84 +499,6 @@ adcli_tool_computer_update (adcli_conn *conn, return 0; } -int -adcli_tool_computer_testjoin (adcli_conn *conn, - int argc, - char *argv[]) -{ - adcli_enroll *enroll; - adcli_result res; - const char *ktname; - int opt; - - struct option options[] = { - { "domain", required_argument, NULL, opt_domain }, - { "domain-controller", required_argument, NULL, opt_domain_controller }, - { "host-keytab", required_argument, 0, opt_host_keytab }, - { "verbose", no_argument, NULL, opt_verbose }, - { "help", no_argument, NULL, 'h' }, - { 0 }, - }; - - static adcli_tool_desc usages[] = { - { 0, "usage: adcli testjoin" }, - { 0 }, - }; - - enroll = adcli_enroll_new (conn); - if (enroll == NULL) { - warnx ("unexpected memory problems"); - return -1; - } - - while ((opt = adcli_tool_getopt (argc, argv, options)) != -1) { - switch (opt) { - case 'h': - case '?': - case ':': - adcli_tool_usage (options, usages); - adcli_tool_usage (options, common_usages); - adcli_enroll_unref (enroll); - return opt == 'h' ? 0 : 2; - default: - res = parse_option ((Option)opt, optarg, conn, enroll); - if (res != ADCLI_SUCCESS) { - adcli_enroll_unref (enroll); - return res; - } - break; - } - } - - /* Force use of a keytab to test the join/machine account password */ - adcli_conn_set_allowed_login_types (conn, ADCLI_LOGIN_COMPUTER_ACCOUNT); - ktname = adcli_enroll_get_keytab_name (enroll); - adcli_conn_set_login_keytab_name (conn, ktname ? ktname : ""); - - res = adcli_enroll_load (enroll); - if (res != ADCLI_SUCCESS) { - adcli_enroll_unref (enroll); - warnx ("couldn't lookup domain info from keytab: %s", - adcli_get_last_error ()); - return -res; - } - - res = adcli_conn_connect (conn); - if (res != ADCLI_SUCCESS) { - adcli_enroll_unref (enroll); - warnx ("couldn't connect to %s domain: %s", - adcli_conn_get_domain_name (conn), - adcli_get_last_error ()); - return -res; - } - - printf ("Sucessfully validated join to domain %s\n", - adcli_conn_get_domain_name (conn)); - - adcli_enroll_unref (enroll); - - return 0; -} int adcli_tool_computer_preset (adcli_conn *conn, @@ -694,7 +516,6 @@ adcli_tool_computer_preset (adcli_conn *conn, { "domain", required_argument, NULL, opt_domain }, { "domain-realm", required_argument, NULL, opt_domain_realm }, { "domain-controller", required_argument, NULL, opt_domain_controller }, - { "use-ldaps", no_argument, 0, opt_use_ldaps }, { "domain-ou", required_argument, NULL, opt_domain_ou }, { "login-user", required_argument, NULL, opt_login_user }, { "login-ccache", optional_argument, NULL, opt_login_ccache }, @@ -718,10 +539,8 @@ adcli_tool_computer_preset (adcli_conn *conn, }; enroll = adcli_enroll_new (conn); - if (enroll == NULL) { - warnx ("unexpected memory problems"); - return -1; - } + if (enroll == NULL) + errx (-1, "unexpected memory problems"); flags = ADCLI_ENROLL_NO_KEYTAB; while ((opt = adcli_tool_getopt (argc, argv, options)) != -1) { @@ -741,11 +560,7 @@ adcli_tool_computer_preset (adcli_conn *conn, adcli_enroll_unref (enroll); return 2; default: - res = parse_option ((Option)opt, optarg, conn, enroll); - if (res != ADCLI_SUCCESS) { - adcli_enroll_unref (enroll); - return res; - } + parse_option ((Option)opt, optarg, conn, enroll); break; } } @@ -753,22 +568,17 @@ adcli_tool_computer_preset (adcli_conn *conn, argc -= optind; argv += optind; - if (argc < 1) { - warnx ("specify one or more host names of computer accounts to preset"); - adcli_enroll_unref (enroll); - return EUSAGE; - } + if (argc < 1) + errx (EUSAGE, "specify one or more host names of computer accounts to preset"); adcli_conn_set_allowed_login_types (conn, ADCLI_LOGIN_USER_ACCOUNT); reset_password = (adcli_enroll_get_computer_password (enroll) == NULL); res = adcli_conn_connect (conn); if (res != ADCLI_SUCCESS) { - warnx ("couldn't connect to %s domain: %s", - adcli_conn_get_domain_name (conn), - adcli_get_last_error ()); - adcli_enroll_unref (enroll); - return -res; + errx (-res, "couldn't connect to %s domain: %s", + adcli_conn_get_domain_name (conn), + adcli_get_last_error ()); } for (i = 0; i < argc; i++) { @@ -779,11 +589,9 @@ adcli_tool_computer_preset (adcli_conn *conn, res = adcli_enroll_join (enroll, flags); if (res != ADCLI_SUCCESS) { - warnx ("presetting %s in %s domain failed: %s", argv[i], - adcli_conn_get_domain_name (conn), - adcli_get_last_error ()); - adcli_enroll_unref (enroll); - return -res; + errx (-res, "presetting %s in %s domain failed: %s", argv[i], + adcli_conn_get_domain_name (conn), + adcli_get_last_error ()); } printf ("computer-name: %s\n", adcli_enroll_get_computer_name (enroll)); @@ -807,7 +615,6 @@ adcli_tool_computer_reset (adcli_conn *conn, { "domain", required_argument, NULL, opt_domain }, { "domain-realm", required_argument, NULL, opt_domain_realm }, { "domain-controller", required_argument, NULL, opt_domain_controller }, - { "use-ldaps", no_argument, 0, opt_use_ldaps }, { "login-user", required_argument, NULL, opt_login_user }, { "login-ccache", optional_argument, NULL, opt_login_ccache }, { "login-type", required_argument, NULL, opt_login_type }, @@ -825,10 +632,8 @@ adcli_tool_computer_reset (adcli_conn *conn, }; enroll = adcli_enroll_new (conn); - if (enroll == NULL) { - warnx ("unexpected memory problems"); - return -1; - } + if (enroll == NULL) + errx (-1, "unexpected memory problems"); while ((opt = adcli_tool_getopt (argc, argv, options)) != -1) { switch (opt) { @@ -840,11 +645,7 @@ adcli_tool_computer_reset (adcli_conn *conn, adcli_enroll_unref (enroll); return opt == 'h' ? 0 : 2; default: - res = parse_option ((Option)opt, optarg, conn, enroll); - if (res != ADCLI_SUCCESS) { - adcli_enroll_unref (enroll); - return res; - } + parse_option ((Option)opt, optarg, conn, enroll); break; } } @@ -852,19 +653,14 @@ adcli_tool_computer_reset (adcli_conn *conn, argc -= optind; argv += optind; - if (argc != 1) { - warnx ("specify one host name of computer account to reset"); - adcli_enroll_unref (enroll); - return EUSAGE; - } + if (argc != 1) + errx (EUSAGE, "specify one host name of computer account to reset"); res = adcli_conn_connect (conn); if (res != ADCLI_SUCCESS) { - warnx ("couldn't connect to %s domain: %s", - adcli_conn_get_domain_name (conn), - adcli_get_last_error ()); - adcli_enroll_unref (enroll); - return -res; + errx (-res, "couldn't connect to %s domain: %s", + adcli_conn_get_domain_name (conn), + adcli_get_last_error ()); } parse_fqdn_or_name (enroll, argv[0]); @@ -872,11 +668,9 @@ adcli_tool_computer_reset (adcli_conn *conn, res = adcli_enroll_password (enroll, 0); if (res != ADCLI_SUCCESS) { - warnx ("resetting %s in %s domain failed: %s", argv[0], - adcli_conn_get_domain_name (conn), - adcli_get_last_error ()); - adcli_enroll_unref (enroll); - return -res; + errx (-res, "resetting %s in %s domain failed: %s", argv[0], + adcli_conn_get_domain_name (conn), + adcli_get_last_error ()); } adcli_enroll_unref (enroll); @@ -896,7 +690,6 @@ adcli_tool_computer_delete (adcli_conn *conn, { "domain", required_argument, NULL, opt_domain }, { "domain-realm", required_argument, NULL, opt_domain_realm }, { "domain-controller", required_argument, NULL, opt_domain_controller }, - { "use-ldaps", no_argument, 0, opt_use_ldaps }, { "login-user", required_argument, NULL, opt_login_user }, { "login-ccache", optional_argument, NULL, opt_login_ccache }, { "no-password", no_argument, 0, opt_no_password }, @@ -913,10 +706,8 @@ adcli_tool_computer_delete (adcli_conn *conn, }; enroll = adcli_enroll_new (conn); - if (enroll == NULL) { - warnx ("unexpected memory problems"); - return -1; - } + if (enroll == NULL) + errx (-1, "unexpected memory problems"); while ((opt = adcli_tool_getopt (argc, argv, options)) != -1) { switch (opt) { @@ -928,11 +719,7 @@ adcli_tool_computer_delete (adcli_conn *conn, adcli_enroll_unref (enroll); return opt == 'h' ? 0 : 2; default: - res = parse_option ((Option)opt, optarg, conn, enroll); - if (res != ADCLI_SUCCESS) { - adcli_enroll_unref (enroll); - return res; - } + parse_option ((Option)opt, optarg, conn, enroll); break; } } @@ -940,29 +727,22 @@ adcli_tool_computer_delete (adcli_conn *conn, argc -= optind; argv += optind; - if (argc > 1) { - warnx ("specify one host name of computer account to delete"); - adcli_enroll_unref (enroll); - return EUSAGE; - } + if (argc > 1) + errx (EUSAGE, "specify one host name of computer account to delete"); adcli_conn_set_allowed_login_types (conn, ADCLI_LOGIN_USER_ACCOUNT); res = adcli_enroll_load (enroll); if (res != ADCLI_SUCCESS) { - warnx ("couldn't lookup domain info from keytab: %s", - adcli_get_last_error ()); - adcli_enroll_unref (enroll); - return -res; + errx (-res, "couldn't lookup domain info from keytab: %s", + adcli_get_last_error ()); } res = adcli_conn_connect (conn); if (res != ADCLI_SUCCESS) { - warnx ("couldn't connect to %s domain: %s", - adcli_conn_get_domain_name (conn), - adcli_get_last_error ()); - adcli_enroll_unref (enroll); - return -res; + errx (-res, "couldn't connect to %s domain: %s", + adcli_conn_get_domain_name (conn), + adcli_get_last_error ()); } if (argc == 1) @@ -970,105 +750,9 @@ adcli_tool_computer_delete (adcli_conn *conn, res = adcli_enroll_delete (enroll, 0); if (res != ADCLI_SUCCESS) { - warnx ("deleting %s in %s domain failed: %s", argv[0], - adcli_conn_get_domain_name (conn), - adcli_get_last_error ()); - adcli_enroll_unref (enroll); - return -res; - } - - adcli_enroll_unref (enroll); - return 0; -} - -int -adcli_tool_computer_show (adcli_conn *conn, - int argc, - char *argv[]) -{ - adcli_enroll *enroll; - adcli_result res; - int opt; - - struct option options[] = { - { "domain", required_argument, NULL, opt_domain }, - { "domain-realm", required_argument, NULL, opt_domain_realm }, - { "domain-controller", required_argument, NULL, opt_domain_controller }, - { "use-ldaps", no_argument, 0, opt_use_ldaps }, - { "login-user", required_argument, NULL, opt_login_user }, - { "login-ccache", optional_argument, NULL, opt_login_ccache }, - { "login-type", required_argument, NULL, opt_login_type }, - { "no-password", no_argument, 0, opt_no_password }, - { "stdin-password", no_argument, 0, opt_stdin_password }, - { "prompt-password", no_argument, 0, opt_prompt_password }, - { "verbose", no_argument, NULL, opt_verbose }, - { "help", no_argument, NULL, 'h' }, - { 0 }, - }; - - static adcli_tool_desc usages[] = { - { 0, "usage: adcli show-computer --domain=xxxx host1.example.com" }, - { 0 }, - }; - - enroll = adcli_enroll_new (conn); - if (enroll == NULL) { - warnx ("unexpected memory problems"); - return -1; - } - - while ((opt = adcli_tool_getopt (argc, argv, options)) != -1) { - switch (opt) { - case 'h': - case '?': - case ':': - adcli_tool_usage (options, usages); - adcli_tool_usage (options, common_usages); - adcli_enroll_unref (enroll); - return opt == 'h' ? 0 : 2; - default: - res = parse_option ((Option)opt, optarg, conn, enroll); - if (res != ADCLI_SUCCESS) { - adcli_enroll_unref (enroll); - return res; - } - break; - } - } - - argc -= optind; - argv += optind; - - res = adcli_conn_connect (conn); - if (res != ADCLI_SUCCESS) { - warnx ("couldn't connect to %s domain: %s", - adcli_conn_get_domain_name (conn), - adcli_get_last_error ()); - adcli_enroll_unref (enroll); - return -res; - } - - if (argc == 1) { - parse_fqdn_or_name (enroll, argv[0]); - } - - res = adcli_enroll_read_computer_account (enroll, 0); - if (res != ADCLI_SUCCESS) { - warnx ("couldn't read data for %s: %s", - adcli_enroll_get_host_fqdn (enroll) != NULL - ? adcli_enroll_get_host_fqdn (enroll) - : adcli_enroll_get_computer_name (enroll), - adcli_get_last_error ()); - adcli_enroll_unref (enroll); - return -res; - } - - res = adcli_enroll_show_computer_attribute (enroll); - if (res != ADCLI_SUCCESS) { - warnx ("couldn't print data for %s: %s", - argv[0], adcli_get_last_error ()); - adcli_enroll_unref (enroll); - return -res; + errx (-res, "deleting %s in %s domain failed: %s", argv[0], + adcli_conn_get_domain_name (conn), + adcli_get_last_error ()); } adcli_enroll_unref (enroll); diff --git a/tools/entry.c b/tools/entry.c index 05e4313..7b6a200 100644 --- a/tools/entry.c +++ b/tools/entry.c @@ -52,8 +52,6 @@ typedef enum { opt_unix_uid, opt_unix_gid, opt_unix_shell, - opt_nis_domain, - opt_use_ldaps, } Option; static adcli_tool_desc common_usages[] = { @@ -64,11 +62,9 @@ static adcli_tool_desc common_usages[] = { { opt_unix_uid, "unix uid number" }, { opt_unix_gid, "unix gid number" }, { opt_unix_shell, "unix shell" }, - { opt_nis_domain, "NIS domain" }, { opt_domain, "active directory domain name" }, { opt_domain_realm, "kerberos realm for the domain" }, { opt_domain_controller, "domain directory server to connect to" }, - { opt_use_ldaps, "use LDAPS port for communication" }, { opt_login_ccache, "kerberos credential cache file which contains\n" "ticket to used to connect to the domain" }, { opt_login_user, "user (usually administrative) login name of\n" @@ -83,7 +79,7 @@ static adcli_tool_desc common_usages[] = { { 0 }, }; -static int +static void parse_option (Option opt, const char *optarg, adcli_conn *conn) @@ -95,61 +91,54 @@ parse_option (Option opt, switch (opt) { case opt_login_ccache: adcli_conn_set_login_ccache_name (conn, optarg); - return ADCLI_SUCCESS; + return; case opt_login_user: adcli_conn_set_login_user (conn, optarg); - return ADCLI_SUCCESS; + return; case opt_domain: adcli_conn_set_domain_name (conn, optarg); - return ADCLI_SUCCESS; + return; case opt_domain_realm: adcli_conn_set_domain_realm (conn, optarg); - return ADCLI_SUCCESS; + return; case opt_domain_controller: adcli_conn_set_domain_controller (conn, optarg); - return ADCLI_SUCCESS; + return; case opt_no_password: if (stdin_password || prompt_password) { - warnx ("cannot use --no-password argument with %s", - stdin_password ? "--stdin-password" : "--prompt-password"); - return EUSAGE; + errx (EUSAGE, "cannot use --no-password argument with %s", + stdin_password ? "--stdin-password" : "--prompt-password"); } else { adcli_conn_set_password_func (conn, NULL, NULL, NULL); no_password = 1; } - return ADCLI_SUCCESS; + return; case opt_prompt_password: if (stdin_password || no_password) { - warnx ("cannot use --prompt-password argument with %s", - stdin_password ? "--stdin-password" : "--no-password"); - return EUSAGE; + errx (EUSAGE, "cannot use --prompt-password argument with %s", + stdin_password ? "--stdin-password" : "--no-password"); } else { adcli_conn_set_password_func (conn, adcli_prompt_password_func, NULL, NULL); prompt_password = 1; } - return ADCLI_SUCCESS; + return; case opt_stdin_password: if (prompt_password || no_password) { - warnx ("cannot use --stdin-password argument with %s", - prompt_password ? "--prompt-password" : "--no-password"); - return EUSAGE; + errx (EUSAGE, "cannot use --stdin-password argument with %s", + prompt_password ? "--prompt-password" : "--no-password"); } else { adcli_conn_set_password_func (conn, adcli_read_password_func, NULL, NULL); stdin_password = 1; } - return ADCLI_SUCCESS; - case opt_use_ldaps: - adcli_conn_set_use_ldaps (conn, true); - return ADCLI_SUCCESS; + return; case opt_verbose: - return ADCLI_SUCCESS; + return; default: assert (0 && "not reached"); break; } - warnx ("failure to parse option '%c'", opt); - return EUSAGE; + errx (EUSAGE, "failure to parse option '%c'", opt); } int @@ -162,8 +151,6 @@ adcli_tool_user_create (adcli_conn *conn, adcli_attrs *attrs; const char *ou = NULL; int opt; - bool has_unix_attr = false; - bool has_nis_domain = false; struct option options[] = { { "display-name", required_argument, NULL, opt_display_name }, @@ -172,12 +159,10 @@ adcli_tool_user_create (adcli_conn *conn, { "unix-uid", required_argument, NULL, opt_unix_uid }, { "unix-gid", required_argument, NULL, opt_unix_gid }, { "unix-shell", required_argument, NULL, opt_unix_shell }, - { "nis-domain", required_argument, NULL, opt_nis_domain }, { "domain-ou", required_argument, NULL, opt_domain_ou }, { "domain", required_argument, NULL, opt_domain }, { "domain-realm", required_argument, NULL, opt_domain_realm }, { "domain-controller", required_argument, NULL, opt_domain_controller }, - { "use-ldaps", no_argument, 0, opt_use_ldaps }, { "login-user", required_argument, NULL, opt_login_user }, { "login-ccache", optional_argument, NULL, opt_login_ccache }, { "no-password", no_argument, 0, opt_no_password }, @@ -205,23 +190,15 @@ adcli_tool_user_create (adcli_conn *conn, break; case opt_unix_home: adcli_attrs_add (attrs, "unixHomeDirectory", optarg, NULL); - has_unix_attr = true; break; case opt_unix_uid: adcli_attrs_add (attrs, "uidNumber", optarg, NULL); - has_unix_attr = true; break; case opt_unix_gid: adcli_attrs_add (attrs, "gidNumber", optarg, NULL); - has_unix_attr = true; break; case opt_unix_shell: adcli_attrs_add (attrs, "loginShell", optarg, NULL); - has_unix_attr = true; - break; - case opt_nis_domain: - adcli_attrs_add (attrs, "msSFU30NisDomain", optarg, NULL); - has_nis_domain = true; break; case opt_domain_ou: ou = optarg; @@ -234,11 +211,7 @@ adcli_tool_user_create (adcli_conn *conn, adcli_attrs_free (attrs); return opt == 'h' ? 0 : 2; default: - res = parse_option ((Option)opt, optarg, conn); - if (res != ADCLI_SUCCESS) { - adcli_attrs_free (attrs); - return res; - } + parse_option ((Option)opt, optarg, conn); break; } } @@ -246,51 +219,29 @@ adcli_tool_user_create (adcli_conn *conn, argc -= optind; argv += optind; - if (argc != 1) { - warnx ("specify one user name to create"); - adcli_attrs_free (attrs); - return 2; - } + if (argc != 1) + errx (2, "specify one user name to create"); entry = adcli_entry_new_user (conn, argv[0]); - if (entry == NULL) { - warnx ("unexpected memory problems"); - adcli_attrs_free (attrs); - return -1; - } + if (entry == NULL) + errx (-1, "unexpected memory problems"); adcli_entry_set_domain_ou (entry, ou); adcli_conn_set_allowed_login_types (conn, ADCLI_LOGIN_USER_ACCOUNT); res = adcli_conn_connect (conn); if (res != ADCLI_SUCCESS) { - warnx ("couldn't connect to %s domain: %s", - adcli_conn_get_domain_name (conn), - adcli_get_last_error ()); - adcli_entry_unref (entry); - adcli_attrs_free (attrs); - return -res; - } - - if (has_unix_attr && !has_nis_domain) { - res = adcli_get_nis_domain (entry, attrs); - if (res != ADCLI_SUCCESS) { - adcli_entry_unref (entry); - adcli_attrs_free (attrs); - warnx ("couldn't get NIS domain"); - return -res; - } + errx (-res, "couldn't connect to %s domain: %s", + adcli_conn_get_domain_name (conn), + adcli_get_last_error ()); } res = adcli_entry_create (entry, attrs); if (res != ADCLI_SUCCESS) { - warnx ("creating user %s in domain %s failed: %s", - adcli_entry_get_sam_name (entry), - adcli_conn_get_domain_name (conn), - adcli_get_last_error ()); - adcli_entry_unref (entry); - adcli_attrs_free (attrs); - return -res; + errx (-res, "creating user %s in domain %s failed: %s", + adcli_entry_get_sam_name (entry), + adcli_conn_get_domain_name (conn), + adcli_get_last_error ()); } adcli_entry_unref (entry); @@ -312,7 +263,6 @@ adcli_tool_user_delete (adcli_conn *conn, { "domain", required_argument, NULL, opt_domain }, { "domain-realm", required_argument, NULL, opt_domain_realm }, { "domain-controller", required_argument, NULL, opt_domain_controller }, - { "use-ldaps", no_argument, 0, opt_use_ldaps }, { "login-user", required_argument, NULL, opt_login_user }, { "login-ccache", optional_argument, NULL, opt_login_ccache }, { "no-password", no_argument, 0, opt_no_password }, @@ -337,10 +287,7 @@ adcli_tool_user_delete (adcli_conn *conn, adcli_tool_usage (options, common_usages); return opt == 'h' ? 0 : 2; default: - res = parse_option ((Option)opt, optarg, conn); - if (res != ADCLI_SUCCESS) { - return res; - } + parse_option ((Option)opt, optarg, conn); break; } } @@ -348,36 +295,28 @@ adcli_tool_user_delete (adcli_conn *conn, argc -= optind; argv += optind; - if (argc != 1) { - warnx ("specify one user name to delete"); - return 2; - } + if (argc != 1) + errx (2, "specify one user name to delete"); entry = adcli_entry_new_user (conn, argv[0]); - if (entry == NULL) { - warnx ("unexpected memory problems"); - return -1; - } + if (entry == NULL) + errx (-1, "unexpected memory problems"); adcli_conn_set_allowed_login_types (conn, ADCLI_LOGIN_USER_ACCOUNT); res = adcli_conn_connect (conn); if (res != ADCLI_SUCCESS) { - warnx ("couldn't connect to %s domain: %s", - adcli_conn_get_domain_name (conn), - adcli_get_last_error ()); - adcli_entry_unref (entry); - return -res; + errx (-res, "couldn't connect to %s domain: %s", + adcli_conn_get_domain_name (conn), + adcli_get_last_error ()); } res = adcli_entry_delete (entry); if (res != ADCLI_SUCCESS) { - warnx ("deleting user %s in domain %s failed: %s", - adcli_entry_get_sam_name (entry), - adcli_conn_get_domain_name (conn), - adcli_get_last_error ()); - adcli_entry_unref (entry); - return -res; + errx (-res, "deleting user %s in domain %s failed: %s", + adcli_entry_get_sam_name (entry), + adcli_conn_get_domain_name (conn), + adcli_get_last_error ()); } adcli_entry_unref (entry); @@ -401,7 +340,6 @@ adcli_tool_group_create (adcli_conn *conn, { "domain", required_argument, NULL, opt_domain }, { "domain-realm", required_argument, NULL, opt_domain_realm }, { "domain-controller", required_argument, NULL, opt_domain_controller }, - { "use-ldaps", no_argument, 0, opt_use_ldaps }, { "domain-ou", required_argument, NULL, opt_domain_ou }, { "login-user", required_argument, NULL, opt_login_user }, { "login-ccache", optional_argument, NULL, opt_login_ccache }, @@ -436,11 +374,7 @@ adcli_tool_group_create (adcli_conn *conn, adcli_attrs_free (attrs); return opt == 'h' ? 0 : 2; default: - res = parse_option ((Option)opt, optarg, conn); - if (res != ADCLI_SUCCESS) { - adcli_attrs_free (attrs); - return res; - } + parse_option ((Option)opt, optarg, conn); break; } } @@ -448,41 +382,29 @@ adcli_tool_group_create (adcli_conn *conn, argc -= optind; argv += optind; - if (argc != 1) { - warnx ("specify one group to create"); - adcli_attrs_free (attrs); - return 2; - } + if (argc != 1) + errx (2, "specify one group to create"); entry = adcli_entry_new_group (conn, argv[0]); - if (entry == NULL) { - warnx ("unexpected memory problems"); - adcli_attrs_free (attrs); - return -1; - } + if (entry == NULL) + errx (-1, "unexpected memory problems"); adcli_entry_set_domain_ou (entry, ou); adcli_conn_set_allowed_login_types (conn, ADCLI_LOGIN_USER_ACCOUNT); res = adcli_conn_connect (conn); if (res != ADCLI_SUCCESS) { - warnx ("couldn't connect to domain %s: %s", - adcli_conn_get_domain_name (conn), - adcli_get_last_error ()); - adcli_entry_unref (entry); - adcli_attrs_free (attrs); - return -res; + errx (-res, "couldn't connect to domain %s: %s", + adcli_conn_get_domain_name (conn), + adcli_get_last_error ()); } res = adcli_entry_create (entry, attrs); if (res != ADCLI_SUCCESS) { - warnx ("creating group %s in domain %s failed: %s", - adcli_entry_get_sam_name (entry), - adcli_conn_get_domain_name (conn), - adcli_get_last_error ()); - adcli_entry_unref (entry); - adcli_attrs_free (attrs); - return -res; + errx (-res, "creating group %s in domain %s failed: %s", + adcli_entry_get_sam_name (entry), + adcli_conn_get_domain_name (conn), + adcli_get_last_error ()); } adcli_entry_unref (entry); @@ -504,7 +426,6 @@ adcli_tool_group_delete (adcli_conn *conn, { "domain", required_argument, NULL, opt_domain }, { "domain-realm", required_argument, NULL, opt_domain_realm }, { "domain-controller", required_argument, NULL, opt_domain_controller }, - { "use-ldaps", no_argument, 0, opt_use_ldaps }, { "login-user", required_argument, NULL, opt_login_user }, { "login-ccache", optional_argument, NULL, opt_login_ccache }, { "no-password", no_argument, 0, opt_no_password }, @@ -529,10 +450,7 @@ adcli_tool_group_delete (adcli_conn *conn, adcli_tool_usage (options, common_usages); return opt == 'h' ? 0 : 2; default: - res = parse_option ((Option)opt, optarg, conn); - if (res != ADCLI_SUCCESS) { - return res; - } + parse_option ((Option)opt, optarg, conn); break; } } @@ -540,36 +458,28 @@ adcli_tool_group_delete (adcli_conn *conn, argc -= optind; argv += optind; - if (argc != 1) { - warnx ("specify one group name to delete"); - return 2; - } + if (argc != 1) + errx (2, "specify one group name to delete"); entry = adcli_entry_new_group (conn, argv[0]); - if (entry == NULL) { - warnx ("unexpected memory problems"); - return -1; - } + if (entry == NULL) + errx (-1, "unexpected memory problems"); adcli_conn_set_allowed_login_types (conn, ADCLI_LOGIN_USER_ACCOUNT); res = adcli_conn_connect (conn); if (res != ADCLI_SUCCESS) { - warnx ("couldn't connect to %s domain: %s", - adcli_conn_get_domain_name (conn), - adcli_get_last_error ()); - adcli_entry_unref (entry); - return -res; + errx (-res, "couldn't connect to %s domain: %s", + adcli_conn_get_domain_name (conn), + adcli_get_last_error ()); } res = adcli_entry_delete (entry); if (res != ADCLI_SUCCESS) { - warnx ("deleting group %s in domain %s failed: %s", - adcli_entry_get_sam_name (entry), - adcli_conn_get_domain_name (conn), - adcli_get_last_error ()); - adcli_entry_unref (entry); - return -res; + errx (-res, "deleting group %s in domain %s failed: %s", + adcli_entry_get_sam_name (entry), + adcli_conn_get_domain_name (conn), + adcli_get_last_error ()); } adcli_entry_unref (entry); @@ -577,7 +487,7 @@ adcli_tool_group_delete (adcli_conn *conn, return 0; } -static int +static void expand_user_dn_as_member (adcli_conn *conn, adcli_attrs *attrs, const char *user, @@ -591,19 +501,16 @@ expand_user_dn_as_member (adcli_conn *conn, res = adcli_entry_load (entry); if (res != ADCLI_SUCCESS) { - warnx ("couldn't lookup user %s in domain %s: %s", - user, adcli_conn_get_domain_name (conn), - adcli_get_last_error ()); - adcli_entry_unref (entry); - return -res; + errx (-res, "couldn't lookup user %s in domain %s: %s", + user, adcli_conn_get_domain_name (conn), + adcli_get_last_error ()); } dn = adcli_entry_get_dn (entry); if (dn == NULL) { - warnx ("couldn't found user %s in domain %s", - user, adcli_conn_get_domain_name (conn)); - adcli_entry_unref (entry); - return -ADCLI_ERR_CONFIG; + errx (-ADCLI_ERR_CONFIG, + "couldn't found user %s in domain %s", + user, adcli_conn_get_domain_name (conn)); } if (adding) @@ -612,8 +519,6 @@ expand_user_dn_as_member (adcli_conn *conn, adcli_attrs_delete1 (attrs, "member", dn); adcli_entry_unref (entry); - - return ADCLI_SUCCESS; } int @@ -631,7 +536,6 @@ adcli_tool_member_add (adcli_conn *conn, { "domain", required_argument, NULL, opt_domain }, { "domain-realm", required_argument, NULL, opt_domain_realm }, { "domain-controller", required_argument, NULL, opt_domain_controller }, - { "use-ldaps", no_argument, 0, opt_use_ldaps }, { "login-user", required_argument, NULL, opt_login_user }, { "login-ccache", optional_argument, NULL, opt_login_ccache }, { "no-password", no_argument, 0, opt_no_password }, @@ -656,10 +560,7 @@ adcli_tool_member_add (adcli_conn *conn, adcli_tool_usage (options, common_usages); return opt == 'h' ? 0 : 2; default: - res = parse_option ((Option)opt, optarg, conn); - if (res != ADCLI_SUCCESS) { - return res; - } + parse_option ((Option)opt, optarg, conn); break; } } @@ -667,48 +568,33 @@ adcli_tool_member_add (adcli_conn *conn, argc -= optind; argv += optind; - if (argc < 2) { - warnx ("specify a group name and a user to add"); - return 2; - } + if (argc < 2) + errx (2, "specify a group name and a user to add"); entry = adcli_entry_new_group (conn, argv[0]); - if (entry == NULL) { - warnx ("unexpected memory problems"); - return -1; - } + if (entry == NULL) + errx (-1, "unexpected memory problems"); adcli_conn_set_allowed_login_types (conn, ADCLI_LOGIN_USER_ACCOUNT); res = adcli_conn_connect (conn); if (res != ADCLI_SUCCESS) { - warnx ("couldn't connect to %s domain: %s", - adcli_conn_get_domain_name (conn), - adcli_get_last_error ()); - adcli_entry_unref (entry); - return -res; + errx (-res, "couldn't connect to %s domain: %s", + adcli_conn_get_domain_name (conn), + adcli_get_last_error ()); } attrs = adcli_attrs_new (); - for (i = 1; i < argc; i++) { - res = expand_user_dn_as_member (conn, attrs, argv[i], 1); - if (res != ADCLI_SUCCESS) { - adcli_attrs_free (attrs); - adcli_entry_unref (entry); - return res; - } - } + for (i = 1; i < argc; i++) + expand_user_dn_as_member (conn, attrs, argv[i], 1); res = adcli_entry_modify (entry, attrs); if (res != ADCLI_SUCCESS) { - warnx ("adding member(s) to group %s in domain %s failed: %s", - adcli_entry_get_sam_name (entry), - adcli_conn_get_domain_name (conn), - adcli_get_last_error ()); - adcli_attrs_free (attrs); - adcli_entry_unref (entry); - return -res; + errx (-res, "adding member(s) to group %s in domain %s failed: %s", + adcli_entry_get_sam_name (entry), + adcli_conn_get_domain_name (conn), + adcli_get_last_error ()); } adcli_attrs_free (attrs); @@ -732,7 +618,6 @@ adcli_tool_member_remove (adcli_conn *conn, { "domain", required_argument, NULL, opt_domain }, { "domain-realm", required_argument, NULL, opt_domain_realm }, { "domain-controller", required_argument, NULL, opt_domain_controller }, - { "use-ldaps", no_argument, 0, opt_use_ldaps }, { "login-user", required_argument, NULL, opt_login_user }, { "login-ccache", optional_argument, NULL, opt_login_ccache }, { "no-password", no_argument, 0, opt_no_password }, @@ -757,10 +642,7 @@ adcli_tool_member_remove (adcli_conn *conn, adcli_tool_usage (options, common_usages); return opt == 'h' ? 0 : 2; default: - res = parse_option ((Option)opt, optarg, conn); - if (res != ADCLI_SUCCESS) { - return res; - } + parse_option ((Option)opt, optarg, conn); break; } } @@ -768,48 +650,33 @@ adcli_tool_member_remove (adcli_conn *conn, argc -= optind; argv += optind; - if (argc < 2) { - warnx ("specify a group name and a user to remove"); - return 2; - } + if (argc < 2) + errx (2, "specify a group name and a user to remove"); entry = adcli_entry_new_group (conn, argv[0]); - if (entry == NULL) { - warnx ("unexpected memory problems"); - return -1; - } + if (entry == NULL) + errx (-1, "unexpected memory problems"); adcli_conn_set_allowed_login_types (conn, ADCLI_LOGIN_USER_ACCOUNT); res = adcli_conn_connect (conn); if (res != ADCLI_SUCCESS) { - warnx ("couldn't connect to %s domain: %s", - adcli_conn_get_domain_name (conn), - adcli_get_last_error ()); - adcli_entry_unref (entry); - return -res; + errx (-res, "couldn't connect to %s domain: %s", + adcli_conn_get_domain_name (conn), + adcli_get_last_error ()); } attrs = adcli_attrs_new (); - for (i = 1; i < argc; i++) { - res = expand_user_dn_as_member (conn, attrs, argv[i], 0); - if (res != ADCLI_SUCCESS) { - adcli_attrs_free (attrs); - adcli_entry_unref (entry); - return res; - } - } + for (i = 1; i < argc; i++) + expand_user_dn_as_member (conn, attrs, argv[i], 0); res = adcli_entry_modify (entry, attrs); if (res != ADCLI_SUCCESS) { - warnx ("adding member(s) to group %s in domain %s failed: %s", - adcli_entry_get_sam_name (entry), - adcli_conn_get_domain_name (conn), - adcli_get_last_error ()); - adcli_attrs_free (attrs); - adcli_entry_unref (entry); - return -res; + errx (-res, "adding member(s) to group %s in domain %s failed: %s", + adcli_entry_get_sam_name (entry), + adcli_conn_get_domain_name (conn), + adcli_get_last_error ()); } adcli_attrs_free (attrs); diff --git a/tools/info.c b/tools/info.c index c63e0ff..e7e20ad 100644 --- a/tools/info.c +++ b/tools/info.c @@ -162,28 +162,21 @@ adcli_tool_info (adcli_conn *unused, if (argc == 1) domain = argv[0]; - else if (argc != 0) { - warnx ("specify one user name to create"); - return 2; - } + else if (argc != 0) + errx (2, "specify one user name to create"); if (server) { adcli_disco_host (server, &disco); - if (disco == NULL) { - warnx ("couldn't discover domain controller: %s", server); - return 1; - } + if (disco == NULL) + errx (1, "couldn't discover domain controller: %s", server); for_host = 1; } else if (domain) { adcli_disco_domain (domain, &disco); - if (disco == NULL) { - warnx ("couldn't discover domain: %s", domain); - return 1; - } + if (disco == NULL) + errx (1, "couldn't discover domain: %s", domain); for_host = 0; } else { - warnx ("specify a domain to discover"); - return 2; + errx (2, "specify a domain to discover"); } print_info (disco, for_host); diff --git a/tools/tools.c b/tools/tools.c index 9d422f2..4b243de 100644 --- a/tools/tools.c +++ b/tools/tools.c @@ -55,11 +55,9 @@ struct { { "info", adcli_tool_info, "Print information about a domain", CONNECTION_LESS }, { "join", adcli_tool_computer_join, "Join this machine to a domain", }, { "update", adcli_tool_computer_update, "Update machine membership in a domain", }, - { "testjoin", adcli_tool_computer_testjoin, "Test if machine account password is valid", }, { "preset-computer", adcli_tool_computer_preset, "Pre setup computers accounts", }, { "reset-computer", adcli_tool_computer_reset, "Reset a computer account", }, - { "delete-computer", adcli_tool_computer_delete, "Delete a computer account", }, - { "show-computer", adcli_tool_computer_show, "Show computer account attributes stored in AD", }, + { "delete-computer", adcli_tool_computer_delete, "Delete a computer acocunt", }, { "create-user", adcli_tool_user_create, "Create a user account", }, { "delete-user", adcli_tool_user_delete, "Delete a user account", }, { "create-group", adcli_tool_group_create, "Create a group", }, @@ -248,9 +246,7 @@ adcli_read_password_func (adcli_login_type login_type, if (res < 0) { if (errno == EAGAIN || errno == EINTR) continue; - warn ("couldn't read password from stdin"); - free (buffer); - return NULL; + err (EFAIL, "couldn't read password from stdin"); } else if (res == 0) { buffer[offset] = '\0'; @@ -264,11 +260,8 @@ adcli_read_password_func (adcli_login_type login_type, return buffer; } else { - if (memchr (buffer + offset, 0, res)) { - warnx ("unsupported null character present in password"); - free (buffer); - return NULL; - } + if (memchr (buffer + offset, 0, res)) + errx (EUSAGE, "unsupported null character present in password"); offset += res; } } @@ -328,31 +321,21 @@ setup_krb5_conf_directory (adcli_conn *conn) } if (asprintf (&directory, "%s%sadcli-krb5-XXXXXX", parent, - (parent[0] && parent[strlen(parent) - 1] == '/') ? "" : "/") < 0) { - warnx ("unexpected: out of memory"); - directory = NULL; /* content is undefined */ - failed = 1; - } + (parent[0] && parent[strlen(parent) - 1] == '/') ? "" : "/") < 0) + errx (1, "unexpected: out of memory"); - if (!failed) { - if (mkdtemp (directory) == NULL) { - errn = errno; - failed = 1; - warnx ("couldn't create temporary directory in: %s: %s", - parent, strerror (errn)); - } else { - if (asprintf (&filename, "%s/krb5.conf", directory) < 0 || - asprintf (&snippets, "%s/krb5.d", directory) < 0 || - asprintf (&contents, "includedir %s\n%s%s\n", snippets, - krb5_conf ? "include " : "", - krb5_conf ? krb5_conf : "") < 0) { - warnx ("unexpected: out of memory"); - filename = NULL; /* content is undefined */ - snippets = NULL; /* content is undefined */ - contents = NULL; /* content is undefined */ - failed = 1; - } - } + if (mkdtemp (directory) == NULL) { + errn = errno; + failed = 1; + warnx ("couldn't create temporary directory in: %s: %s", + parent, strerror (errn)); + } else { + if (asprintf (&filename, "%s/krb5.conf", directory) < 0 || + asprintf (&snippets, "%s/krb5.d", directory) < 0 || + asprintf (&contents, "includedir %s\n%s%s\n", snippets, + krb5_conf ? "include " : "", + krb5_conf ? krb5_conf : "") < 0) + errx (1, "unexpected: out of memory"); } if (!failed) { diff --git a/tools/tools.h b/tools/tools.h index 3702875..6c97ccf 100644 --- a/tools/tools.h +++ b/tools/tools.h @@ -70,18 +70,10 @@ int adcli_tool_computer_update (adcli_conn *conn, int argc, char *argv[]); -int adcli_tool_computer_testjoin (adcli_conn *conn, - int argc, - char *argv[]); - int adcli_tool_computer_delete (adcli_conn *conn, int argc, char *argv[]); -int adcli_tool_computer_show (adcli_conn *conn, - int argc, - char *argv[]); - int adcli_tool_user_create (adcli_conn *conn, int argc, char *argv[]);