From: Stefan Metzmacher <metze@samba.org>
Date: Wed, 27 Apr 2022 11:11:26 +0000 (+0200)
Subject: s3:libads: split out ads_connect_internal() and call it with ads_legacy_creds()
X-Git-Tag: tdb-1.4.11~779
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b3110ec049bae7c97aa0f642773fe0deb56f8e14;p=thirdparty%2Fsamba.git

s3:libads: split out ads_connect_internal() and call it with ads_legacy_creds()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
---

diff --git a/source3/libads/ads_proto.h b/source3/libads/ads_proto.h
index 93fe2a2082f..16fc24264cb 100644
--- a/source3/libads/ads_proto.h
+++ b/source3/libads/ads_proto.h
@@ -206,7 +206,7 @@ ADS_STATUS ads_ranged_search(ADS_STRUCT *ads,
 NTSTATUS ads_legacy_creds(ADS_STRUCT *ads,
 			  TALLOC_CTX *mem_ctx,
 			  struct cli_credentials **_creds);
-ADS_STATUS ads_sasl_bind(ADS_STRUCT *ads);
+ADS_STATUS ads_sasl_bind(ADS_STRUCT *ads, struct cli_credentials *creds);
 
 /* The following definitions come from libads/sasl_wrapping.c  */
 
diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c
index b5bf5634086..26e3107c042 100644
--- a/source3/libads/ldap.c
+++ b/source3/libads/ldap.c
@@ -34,6 +34,7 @@
 #include "lib/param/loadparm.h"
 #include "libsmb/namequery.h"
 #include "../librpc/gen_ndr/ndr_ads.h"
+#include "auth/credentials/credentials.h"
 
 #ifdef HAVE_LDAP
 
@@ -810,12 +811,14 @@ static NTSTATUS ads_find_dc(ADS_STRUCT *ads)
 		  c_realm, c_domain, nt_errstr(status)));
 	return status;
 }
+
 /**
  * Connect to the LDAP server
  * @param ads Pointer to an existing ADS_STRUCT
  * @return status of connection
  **/
-ADS_STATUS ads_connect(ADS_STRUCT *ads)
+static ADS_STATUS ads_connect_internal(ADS_STRUCT *ads,
+				       struct cli_credentials *creds)
 {
 	int version = LDAP_VERSION3;
 	ADS_STATUS status;
@@ -827,6 +830,18 @@ ADS_STATUS ads_connect(ADS_STRUCT *ads)
 
 	zero_sockaddr(&existing_ss);
 
+	if (!(ads->auth.flags & ADS_AUTH_NO_BIND)) {
+		SMB_ASSERT(creds != NULL);
+	}
+
+	if (ads->auth.flags & ADS_AUTH_ANON_BIND) {
+		/*
+		 * Simple anonyous binds are only
+		 * allowed for anonymous credentials
+		 */
+		SMB_ASSERT(cli_credentials_is_anonymous(creds));
+	}
+
 	/*
 	 * ads_connect can be passed in a reused ADS_STRUCT
 	 * with an existing non-zero ads->ldap.ss IP address
@@ -1076,7 +1091,7 @@ got_connection:
 		goto out;
 	}
 
-	status = ads_sasl_bind(ads);
+	status = ads_sasl_bind(ads, creds);
 
  out:
 	if (DEBUGLEVEL >= 11) {
@@ -1090,6 +1105,29 @@ got_connection:
 	return status;
 }
 
+/*
+ * Connect to the LDAP server
+ * @param ads Pointer to an existing ADS_STRUCT
+ * @return status of connection
+ **/
+ADS_STATUS ads_connect(ADS_STRUCT *ads)
+{
+	TALLOC_CTX *frame = talloc_stackframe();
+	struct cli_credentials *creds = NULL;
+	ADS_STATUS status;
+	NTSTATUS ntstatus;
+
+	ntstatus = ads_legacy_creds(ads, frame, &creds);
+	if (!NT_STATUS_IS_OK(ntstatus)) {
+		TALLOC_FREE(frame);
+		return ADS_ERROR_NT(ntstatus);
+	}
+
+	status = ads_connect_internal(ads, creds);
+	TALLOC_FREE(frame);
+	return status;
+}
+
 /**
  * Connect to the LDAP server using given credentials
  * @param ads Pointer to an existing ADS_STRUCT
diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c
index 3d0bac4c4a9..55e77cd71b4 100644
--- a/source3/libads/sasl.c
+++ b/source3/libads/sasl.c
@@ -634,36 +634,29 @@ static ADS_STATUS ads_generate_service_principal(ADS_STRUCT *ads,
 /*
    this performs a SASL/SPNEGO bind
 */
-static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
+static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads,
+				       struct cli_credentials *creds)
 {
 	TALLOC_CTX *frame = talloc_stackframe();
 	struct ads_service_principal p = {0};
-	struct cli_credentials *creds = NULL;
-	NTSTATUS nt_status;
 	ADS_STATUS status;
 	const char *mech = NULL;
 	const char *debug_username = NULL;
 	enum credentials_use_kerberos krb5_state;
 
+	krb5_state = cli_credentials_get_kerberos_state(creds);
+
 	status = ads_generate_service_principal(ads, &p);
 	if (!ADS_ERR_OK(status)) {
 		goto done;
 	}
 
-	nt_status = ads_legacy_creds(ads, frame, &creds);
-	if (!NT_STATUS_IS_OK(nt_status)) {
-		status = ADS_ERROR_NT(nt_status);
-		goto done;
-	}
-
 	debug_username = cli_credentials_get_unparsed_name(creds, frame);
 	if (debug_username == NULL) {
 		status = ADS_ERROR_SYSTEM(errno);
 		goto done;
 	}
 
-	krb5_state = cli_credentials_get_kerberos_state(creds);
-
 #ifdef HAVE_KRB5
 	if (krb5_state != CRED_USE_KERBEROS_DISABLED &&
 	    !is_ipaddress(p.hostname))
@@ -760,7 +753,7 @@ done:
 	return status;
 }
 
-ADS_STATUS ads_sasl_bind(ADS_STRUCT *ads)
+ADS_STATUS ads_sasl_bind(ADS_STRUCT *ads, struct cli_credentials *creds)
 {
 	ADS_STATUS status;
 	struct ads_saslwrap *wrap = &ads->ldap_wrap_data;
@@ -791,7 +784,7 @@ ADS_STATUS ads_sasl_bind(ADS_STRUCT *ads)
 	}
 
 retry:
-	status = ads_sasl_spnego_bind(ads);
+	status = ads_sasl_spnego_bind(ads, creds);
 	if (status.error_type == ENUM_ADS_ERROR_LDAP &&
 	    status.err.rc == LDAP_STRONG_AUTH_REQUIRED &&
 	    !tls &&