svn commit: samba r2353 - in trunk/source: include libads utils

gd at samba.org gd at samba.org
Wed Sep 15 17:03:06 GMT 2004 

Author: gd
Date: 2004-09-15 17:03:05 +0000 (Wed, 15 Sep 2004)
New Revision: 2353

WebSVN: http://websvn.samba.org/websvn/changeset.php?rep=samba&path=/trunk/source&rev=2353&nolog=1

Log:
Use the default locations for creating users/groups and machine
accounts in Active Directory by querying for their well known guid and
do not blindly default to cn=Users or cn=Computers.

This way we match default containers moved by redircmp.exe and
redirusr.exe in Windows 2003.

Also, do not enforce to define cryptic location paths when rejoining an
existing computer-account to ADS (use the original dn instead).

Guenther



Modified:
   trunk/source/include/ads.h
   trunk/source/libads/ldap.c
   trunk/source/utils/net.c
   trunk/source/utils/net_ads.c


Changeset:
Modified: trunk/source/include/ads.h
===================================================================
--- trunk/source/include/ads.h	2004-09-15 15:13:03 UTC (rev 2352)
+++ trunk/source/include/ads.h	2004-09-15 17:03:05 UTC (rev 2353)
@@ -224,3 +224,8 @@
 #ifndef HAVE_AP_OPTS_USE_SUBKEY
 #define AP_OPTS_USE_SUBKEY 0
 #endif
+
+#define WELL_KNOWN_GUID_COMPUTERS		"AA312825768811D1ADED00C04FD8D5CD" /* 252831aa-8876-d111-aded-00c04fd8d5cd */
+#define WELL_KNOWN_GUID_USERS			"A9D1CA15768811D1ADED00C04FD8D5CD" /* 15cad1a9-8876-d111-aded-00c04fd8d5cd */
+#define WELL_KNOWN_GUID_DOMAIN_CONTROLLERS	"A361B2FFFFD211D1AA4B00C04FD7D83A" /* ffb261a3-d2ff-d111-aa4b-00c04fd7d83a */
+#define WELL_KNOWN_GUID_SYSTEM			"AB1D30F3768811D1ADED00C04FD8D5CD" /* f3301dab-8876-d111-aded-00c04fd8d5cd */

Modified: trunk/source/libads/ldap.c
===================================================================
--- trunk/source/libads/ldap.c	2004-09-15 15:13:03 UTC (rev 2352)
+++ trunk/source/libads/ldap.c	2004-09-15 17:03:05 UTC (rev 2353)
@@ -993,22 +993,82 @@
 
 /**
  * Build an org unit string
- *  if org unit is Computers or blank then assume a container, otherwise
+ *  if org unit is empty we get the default container from ads, 
+ *  if org unit is Computers we return cn=Computers, otherwise 
  *  assume a \ separated list of organisational units
+ * @param ads connection to ads server
  * @param org_unit Organizational unit
  * @return org unit string - caller must free
  **/
-char *ads_ou_string(const char *org_unit)
-{	
-	if (!org_unit || !*org_unit || strequal(org_unit, "Computers")) {
+char *ads_ou_string(ADS_STRUCT *ads, const char *org_unit)
+{
+	if (!org_unit || !*org_unit)
+		return ads_default_ou_string(ads, WELL_KNOWN_GUID_COMPUTERS);
+
+	if (strequal(org_unit, "Computers"))
 		return strdup("cn=Computers");
-	}
 
 	return ads_build_path(org_unit, "\\/", "ou=", 1);
 }
 
+/**
+ * Get an org unit string for a well-known GUID
+ * @param ads connection to ads server
+ * @param wknguid Well known GUID
+ * @return org unit string - caller must free
+ **/
+char *ads_default_ou_string(ADS_STRUCT *ads, const char *wknguid)
+{
+	ADS_STATUS status;
+	void *res;
+	char *base, *wkn_dn, *ret, **wkn_dn_exp, **bind_dn_exp;
+	const char *attrs[] = {"distinguishedName", NULL};
+	int wkn_ln, bind_ln, i;
 
+	if (asprintf(&base, "<WKGUID=%s,%s>", wknguid, ads->config.bind_path ) == -1) {
+		DEBUG(1, ("asprintf failed!\n"));
+		return NULL;
+	}
 
+	status = ads_search_dn(ads, &res, base, attrs);
+	if (!ADS_ERR_OK(status)) {
+		DEBUG(1,("Failed while searching for: %s\n", base));
+		return NULL;
+	}
+	free(base);
+
+	if (ads_count_replies(ads, res) != 1)
+		return NULL;
+
+	/* compare ads->config.bind-path and the result from the 
+	   well-known-guid-search to return the correct default 
+	   container (which might consist of several ou's)
+	*/
+
+	wkn_dn = ads_get_dn(ads, res);
+	wkn_dn_exp = ldap_explode_dn(wkn_dn, 0);
+	bind_dn_exp = ldap_explode_dn(ads->config.bind_path, 0);
+
+	for (wkn_ln=0; wkn_dn_exp[wkn_ln]; wkn_ln++)
+		;
+	for (bind_ln=0; bind_dn_exp[bind_ln]; bind_ln++)
+		;
+
+	if (wkn_ln - bind_ln < 1)
+		return NULL;
+
+	ret = wkn_dn_exp[0];
+
+	for (i=1; i < wkn_ln - bind_ln; i++) {
+		char *s;
+		asprintf(&s, "%s,%s", ret, wkn_dn_exp[i]);
+		ret = strdup(s);
+		free(s);
+	}
+
+	return ret;
+}
+
 /*
   add a machine account to the ADS server
 */
@@ -1017,7 +1077,7 @@
 				       const char *org_unit)
 {
 	ADS_STATUS ret, status;
-	char *host_spn, *host_upn, *new_dn, *samAccountName, *controlstr;
+	char *host_spn, *host_upn, *new_dn, *old_dn, *samAccountName, *controlstr;
 	char *ou_str;
 	TALLOC_CTX *ctx;
 	ADS_MODLIST mods;
@@ -1032,6 +1092,7 @@
 	status = ads_find_machine_acct(ads, (void **)&res, hostname);
 	if (ADS_ERR_OK(status) && ads_count_replies(ads, res) == 1) {
 		DEBUG(0, ("Host account for %s already exists - modifying old account\n", hostname));
+		old_dn = ads_get_dn(ads, res);
 		exists=1;
 	}
 
@@ -1044,7 +1105,7 @@
 		goto done;
 	if (!(host_upn = talloc_asprintf(ctx, "%s@%s", host_spn, ads->config.realm)))
 		goto done;
-	ou_str = ads_ou_string(org_unit);
+	ou_str = ads_ou_string(ads,org_unit);
 	if (!ou_str) {
 		DEBUG(1, ("ads_ou_string returned NULL (malloc failure?)\n"));
 		goto done;
@@ -1097,7 +1158,7 @@
 	if (!exists) 
 		ret = ads_gen_add(ads, new_dn, mods);
 	else
-		ret = ads_gen_mod(ads, new_dn, mods);
+		ret = ads_gen_mod(ads, old_dn, mods);
 
 	if (!ADS_ERR_OK(ret))
 		goto done;

Modified: trunk/source/utils/net.c
===================================================================
--- trunk/source/utils/net.c	2004-09-15 15:13:03 UTC (rev 2352)
+++ trunk/source/utils/net.c	2004-09-15 17:03:05 UTC (rev 2353)
@@ -69,7 +69,7 @@
 int opt_verbose = 0;
 int opt_maxusers = -1;
 const char *opt_comment = "";
-const char *opt_container = "cn=Users";
+const char *opt_container = "";
 int opt_flags = -1;
 int opt_timeout = 0;
 const char *opt_target_workgroup = NULL;

Modified: trunk/source/utils/net_ads.c
===================================================================
--- trunk/source/utils/net_ads.c	2004-09-15 15:13:03 UTC (rev 2352)
+++ trunk/source/utils/net_ads.c	2004-09-15 17:03:05 UTC (rev 2353)
@@ -291,6 +291,7 @@
 		goto done;
 	}
 
+	opt_container = ads_default_ou_string(ads, WELL_KNOWN_GUID_USERS);
 	status = ads_add_user_acct(ads, argv[0], opt_container, opt_comment);
 
 	if (!ADS_ERR_OK(status)) {
@@ -474,6 +475,7 @@
 		goto done;
 	}
 
+	opt_container = ads_default_ou_string(ads, WELL_KNOWN_GUID_USERS);
 	status = ads_add_group_acct(ads, argv[0], opt_container, opt_comment);
 
 	if (ADS_ERR_OK(status)) {
@@ -652,7 +654,7 @@
 	char *password;
 	char *machine_account = NULL;
 	char *tmp_password;
-	const char *org_unit = "Computers";
+	const char *org_unit = NULL;
 	char *dn;
 	void *res;
 	DOM_SID dom_sid;
@@ -684,8 +686,12 @@
 		return -1;
 	}
 
-	ou_str = ads_ou_string(org_unit);
+	ou_str = ads_ou_string(ads, org_unit);
 	asprintf(&dn, "%s,%s", ou_str, ads->config.bind_path);
+	if (ou_str == NULL) {
+		d_printf("could not find any reasonable container for the machine account\n");
+		return -1;
+	}
 	free(ou_str);
 
 	rc = ads_search_dn(ads, &res, dn, NULL);

More information about the samba-cvs mailing list