function ping_kdc()
{
$sock = new sockets();
$unix = new unix();
$filetime = "/etc/artica-postfix/pids/" . basename(__FILE__) . "." . __FUNCTION__ . ".time";
$EnableKerbAuth = $sock->GET_INFO("EnableKerbAuth");
if (!is_numeric("{$EnableKerbAuth}")) {
$EnableKerbAuth = 0;
}
if ($EnableKerbAuth == 0) {
echo "Starting......: [PING]: Kerberos, disabled\n";
return;
}
if (!checkParams()) {
echo "Starting......: [PING]: Kerberos, misconfiguration failed\n";
return;
}
$array = unserialize(base64_decode($sock->GET_INFO("KerbAuthInfos")));
$time = $unix->file_time_min($filetime);
if ($time < 120) {
if (!$GLOBALS["VERBOSE"]) {
return;
}
echo "{$filetime} ({$time}Mn)\n";
}
$kinit = $unix->find_program("kinit");
$echo = $unix->find_program("echo");
$net = $unix->LOCATE_NET_BIN_PATH();
$wbinfo = $unix->find_program("wbinfo");
$domain = strtoupper($array["WINDOWS_DNS_SUFFIX"]);
$domain_lower = strtolower($array["WINDOWS_DNS_SUFFIX"]);
$ad_server = strtolower($config["WINDOWS_SERVER_NETBIOSNAME"]);
$kinitpassword = $array["WINDOWS_SERVER_PASS"];
$kinitpassword = $unix->shellEscapeChars($kinitpassword);
$clock_explain = "The clock on you system (Linux/UNIX) is too far off from the correct time.\nYour machine needs to be within 5 minutes of the Kerberos servers in order to get any tickets.\nYou will need to run ntp, or a similar service to keep your clock within the five minute window";
$cmd = "{$echo} {$kinitpassword}|{$kinit} {$array["WINDOWS_SERVER_ADMIN"]}@{$domain} -V 2>&1";
echo "{$cmd}\n";
exec("{$cmd}", $kinit_results);
while (list($num, $ligne) = each($kinit_results)) {
if (preg_match("#Clock skew too great while getting initial credentials#", $ligne)) {
$unix->send_email_events("Active Directory connection clock issue", "kinit program claim\n{$ligne}\n{$clock_explain}", "system");
}
if (preg_match("#Client not found in Kerberos database while getting initial credentials#", $ligne)) {
$unix->send_email_events("Active Directory authentification issue", "kinit program claim\n{$ligne}\n", "system");
}
if (preg_match("#Authenticated to Kerberos#", $ligne)) {
echo "starting......: [PING]: Kerberos, Success\n";
}
if ($GLOBALS["VERBOSE"]) {
echo "kinit: {$ligne}\n";
}
}
@unlink($filetime);
@file_put_contents($filetime, time());
}
function getNetInfos()
{
$unix = new unix();
$netbin = $unix->LOCATE_NET_BIN_PATH();
exec("{$netbin} ads info {$GLOBALS["AUTHCMD"]} 2>&1", $results);
while (list($index, $line) = each($results)) {
if (preg_match("#LDAP server:(.+)#", $line, $re)) {
$GLOBALS["LDAP_HOST"] = trim($re[1]);
continue;
}
if (preg_match("#Bind Path:(.+)#", $line, $re)) {
$GLOBALS["LDAP_SUFFIX"] = trim($re[1]);
continue;
}
if (preg_match("#LDAP port.+?([0-9]+)#", $line, $re)) {
$GLOBALS["LDAP_PORT"] = trim($re[1]);
continue;
}
}
}
function net_ads_info()
{
if ($_GET["reconnect"] == "yes") {
shell_exec(LOCATE_PHP5_BIN2() . " /usr/share/artica-postfix/exec.samba.php --ads");
}
$cachefile = "/etc/artica-postfix/NetADSInfo.cache";
$cachefilesize = filesize($cachefile);
writelogs_framework("{$cachefile} {$cachefilesize}", __FUNCTION__, __FILE__, __LINE__);
if (is_file("/etc/artica-postfix/NetADSInfo.cache")) {
$filetime = file_time_min($cachefile);
if ($filetime < 30) {
writelogs_framework("{$cachefile} {$filetime}Mn", __FUNCTION__, __FILE__, __LINE__);
$results = explode("\n", @file_get_contents($cachefile));
}
}
writelogs_framework("results= " . count($results) . " rows", __FUNCTION__, __FILE__, __LINE__);
if (!is_array($results)) {
$unix = new unix();
$net = $unix->LOCATE_NET_BIN_PATH();
if (!is_file($net)) {
$unix->send_email_events("Unable to locate net binary !!", "", "system");
return;
}
writelogs_framework("{$net} ads info 2>&1", __FUNCTION__, __FILE__, __LINE__);
exec("{$net} ads info 2>&1", $results);
@file_put_contents($cachefile, @implode("\n", $results));
}
while (list($index, $line) = each($results)) {
if (preg_match("#^(.+?):(.+)#", trim($line), $re)) {
writelogs_framework(trim($re[1]) . "=" . trim($re[2]), __FUNCTION__, __FILE__, __LINE__);
$array[trim($re[1])] = trim($re[2]);
}
}
echo "<articadatascgi>" . base64_encode(serialize($array)) . "</articadatascgi>";
}
function activedirectory_ping(){
$sock=new sockets();
$unix=new unix();
$filetime="/etc/artica-postfix/pids/".basename(__FILE__).".".__FUNCTION__.".time";
$EnableSambaActiveDirectory=$sock->GET_INFO("EnableSambaActiveDirectory");
if(!is_numeric($EnableSambaActiveDirectory)){return;}
if($EnableSambaActiveDirectory<>1){return;}
$ping_dc=false;
$time=$unix->file_time_min($filetime);
if($time<120){
if(!$GLOBALS["VERBOSE"]){return;}
echo "$filetime ({$time}Mn)\n";
}
$kinit=$unix->find_program("kinit");
$echo=$unix->find_program("echo");
$net=$unix->LOCATE_NET_BIN_PATH();
$wbinfo=$unix->find_program("wbinfo");
$config=unserialize(base64_decode($sock->GET_INFO("SambaAdInfos")));
$domain=strtoupper($config["ADDOMAIN"]);
$domain_lower=strtolower($config["ADDOMAIN"]);
$ADSERVER_IP=$config["ADSERVER_IP"];
$ad_server=strtolower($config["ADSERVER"]);
$kinitpassword=$config["PASSWORD"];
$kinitpassword=$unix->shellEscapeChars($kinitpassword);
$clock_explain="The clock on you system (Linux/UNIX) is too far off from the correct time.\nYour machine needs to be within 5 minutes of the Kerberos servers in order to get any tickets.\nYou will need to run ntp, or a similar service to keep your clock within the five minute window";
$cmd="$echo $kinitpassword|$kinit {$config["ADADMIN"]}@$domain 2>&1";
echo "$cmd\n";
exec("$cmd",$kinit_results);
while (list ($num, $ligne) = each ($kinit_results) ){
if(preg_match("#Clock skew too great while getting initial credentials#", $ligne)){$unix->send_email_events("Active Directory connection clock issue", "kinit program claim\n$ligne\n$clock_explain", "system");}
if($GLOBALS["VERBOSE"]){echo "kinit: $ligne\n";}
}
exec("$wbinfo --ping-dc 2>&1",$ping_dc_results);
while (list ($num, $ligne) = each ($ping_dc_results) ){
if($GLOBALS["VERBOSE"]){echo "ping-dc: $ligne\n";}
if(preg_match("#succeeded#", $ligne)){$ping_dc=true;}
}
@unlink($filetime);
@file_put_contents($filetime, time());
}
function disconnect()
{
$unix = new unix();
$user = new settings_inc();
$netbin = $unix->LOCATE_NET_BIN_PATH();
$kdestroy = $unix->find_program("kdestroy");
$sock = new sockets();
$nohup = $unix->find_program("nohup");
$array = unserialize(base64_decode($sock->GET_INFO("KerbAuthInfos")));
if (!isset($array["USE_AUTORID"])) {
$array["USE_AUTORID"] = 1;
}
if (!is_numeric($array["USE_AUTORID"])) {
$array["USE_AUTORID"] = 1;
}
$domainUp = strtoupper($array["WINDOWS_DNS_SUFFIX"]);
$domain_lower = strtolower($array["WINDOWS_DNS_SUFFIX"]);
$adminpassword = $array["WINDOWS_SERVER_PASS"];
$adminpassword = $unix->shellEscapeChars($adminpassword);
$adminpassword = str_replace("'", "", $adminpassword);
$adminname = $array["WINDOWS_SERVER_ADMIN"];
$ad_server = $array["WINDOWS_SERVER_NETBIOSNAME"];
$kdb5_util = $unix->find_program("kdb5_util");
$function = __FUNCTION__;
if (!is_file($netbin)) {
progress_logs(100, "{join_activedirectory_domain}", " net, no such binary");
return;
}
if (!$user->SAMBA_INSTALLED) {
progress_logs(100, "{join_activedirectory_domain}", " Samba, no such software");
return;
}
build_progress_disconnect("Flush Keytab...", 5);
exec("{$netbin} ads keytab flush 2>&1", $results);
build_progress_disconnect("Leave Active Directory...", 10);
exec("{$netbin} ads leave -U {$adminname}%{$adminpassword} 2>&1", $results);
build_progress_disconnect("Destroy Kerberos ticket", 10);
exec("{$kdestroy} 2>&1", $results);
build_progress_disconnect("Destroy Kerberos ticket", 15);
system("{$kdb5_util} -r {$domainUp} -P {$adminpassword} destroy -f");
build_progress_disconnect("Destroy Kerberos ticket", 20);
@unlink("/etc/squid3/PROXY.keytab");
squid_admin_mysql(0, "Active directory disconnected", "An order as been sent to disconnect Active Directory", __FILE__, __LINE__);
build_progress_disconnect("Stamp to not use Active Directory", 50);
$sock->SET_INFO("EnableKerbAuth", 0);
@unlink("/etc/cron.d/artica-ads-watchdog");
@unlink("/etc/cron.daily/msktutil");
build_progress_disconnect("Remove the system from Active Directory", 70);
exec("/usr/share/artica-postfix/bin/artica-install --nsswitch 2>&1", $results);
build_progress_disconnect("Restarting SMB Engine", 70);
exec("/etc/init.d/artica-postfix restart samba 2>&1", $results);
while (list($num, $ligne) = each($results)) {
echo "Leave......: {$ligne}\n";
progress_logs(90, "{join_activedirectory_domain}", "Leave......: {$ligne}");
}
build_progress_disconnect("{reconfiguring_proxy_service}", 80);
$php5 = $unix->LOCATE_PHP5_BIN();
system("{$php5} /usr/share/artica-postfix/exec.squid.php --build --force");
build_progress_disconnect("{done}", 100);
}
function test_join()
{
$sock = new sockets();
$EnableSambaActiveDirectory = $sock->GET_INFO("EnableSambaActiveDirectory");
if (!is_numeric($EnableSambaActiveDirectory)) {
$EnableSambaActiveDirectory = 0;
}
if ($EnableSambaActiveDirectory == 0) {
return;
}
$unix = new unix();
$net = $unix->LOCATE_NET_BIN_PATH();
exec("{$net} ads testjoin 2>&1", $results);
while (list($num, $ligne) = each($results)) {
if (preg_match("#Join is OK#", $ligne)) {
return;
}
}
$adsjoinerror = @implode("\n", $results);
$results = array();
$config = unserialize(base64_decode($sock->GET_INFO("SambaAdInfos")));
$ad_server = strtolower($config["ADSERVER"]);
$domain_lower = strtolower($config["ADDOMAIN"]);
$adminpassword = $config["PASSWORD"];
$adminpassword = $unix->shellEscapeChars($adminpassword);
$cmd = "{$net} ads join -W {$ad_server}.{$domain_lower} -S {$ad_server} -U {$config["ADADMIN"]}%{$adminpassword} 2>&1";
exec($cmd, $results1);
$cmd = "net join -U {$config["ADADMIN"]}%{$adminpassword} -S {$ad_server} 2>&1";
exec($cmd, $results2);
$unix->send_email_events("Join to [{$ad_server}] Active Directory Domain failed", "NET claim:" . @implode("\n", $results) . "\n\tArtica reconnect the system to the Active Directory report:\n" . @implode("\n", $results1) . "\n" . @implode("\n", $results2), "system");
reload();
}
function adsinfos()
{
$unix = new unix();
$net = $unix->LOCATE_NET_BIN_PATH();
exec("{$net} ads info 2>&1", $results);
writelogs_framework("{$cmd} = " . count($results) . " rows", __FUNCTION__, __FILE__, __LINE__);
while (list($num, $line) = each($results)) {
if (preg_match("#(.+?):(.+)#", $line, $re)) {
$array[trim($re[1])] = trim($re[2]);
}
}
echo "<articadatascgi>" . base64_encode(serialize($array)) . "</articadatascgi>";
}
function disconnect()
{
$unix = new unix();
$user = new settings_inc();
$netbin = $unix->LOCATE_NET_BIN_PATH();
$kdestroy = $unix->find_program("kdestroy");
$sock = new sockets();
$nohup = $unix->find_program("nohup");
$array = unserialize(base64_decode($sock->GET_INFO("KerbAuthInfos")));
if (!isset($array["USE_AUTORID"])) {
$array["USE_AUTORID"] = 1;
}
if (!is_numeric($array["USE_AUTORID"])) {
$array["USE_AUTORID"] = 1;
}
$domainUp = strtoupper($array["WINDOWS_DNS_SUFFIX"]);
$domain_lower = strtolower($array["WINDOWS_DNS_SUFFIX"]);
$adminpassword = $array["WINDOWS_SERVER_PASS"];
$adminpassword = $unix->shellEscapeChars($adminpassword);
$adminpassword = str_replace("'", "", $adminpassword);
$adminname = $array["WINDOWS_SERVER_ADMIN"];
$ad_server = $array["WINDOWS_SERVER_NETBIOSNAME"];
$function = __FUNCTION__;
if (!is_file($netbin)) {
progress_logs(100, "{join_activedirectory_domain}", " net, no such binary");
return;
}
if (!$user->SAMBA_INSTALLED) {
progress_logs(100, "{join_activedirectory_domain}", " Samba, no such software");
return;
}
exec("{$netbin} ads keytab flush 2>&1", $results);
exec("{$netbin} ads leave -U {$adminname}%{$adminpassword} 2>&1", $results);
exec("{$kdestroy} 2>&1", $results);
squid_admin_mysql(0, "Active directory disconnected", "An order as been sent to disconnect Active Directory", __FILE__, __LINE__);
$unix->send_email_events("Active directory disconnected", "An order as been sent to disconnect Active Directory", "activedirectory");
$sock->SET_INFO("EnableKerbAuth", 0);
exec("/usr/share/artica-postfix/bin/artica-install --nsswitch 2>&1", $results);
exec("/etc/init.d/artica-postfix restart samba 2>&1", $results);
while (list($num, $ligne) = each($results)) {
progress_logs(90, "{join_activedirectory_domain}", "Leave......: {$ligne}");
}
$php5 = $unix->LOCATE_PHP5_BIN();
shell_exec("{$nohup} {$php5} /usr/share/artica-postfix/exec.squid.php --build --force >/dev/null 2>&1 &");
progress_logs(100, "{join_activedirectory_domain}", "Leave......: {$ligne}");
}
function JOIN_ACTIVEDIRECTORY()
{
$unix = new unix();
$function = __FUNCTION__;
$user = new settings_inc();
$netbin = $unix->LOCATE_NET_BIN_PATH();
if (!is_file($netbin)) {
echo "Starting......: " . date("H:i:s") . " {$function}, net, no such binary\n";
return;
}
if (!$user->SAMBA_INSTALLED) {
echo "Starting......: " . date("H:i:s") . " {$function}, Samba, no such software\n";
return;
}
$NetADSINFOS = $unix->SAMBA_GetNetAdsInfos();
$KDC_SERVER = $NetADSINFOS["KDC server"];
$sock = new sockets();
$array = unserialize(base64_decode($sock->GET_INFO("SambaAdInfos")));
run_msktutils();
$domainUp = strtoupper($array["ADDOMAIN"]);
$domain_lower = strtolower($array["ADDOMAIN"]);
$adminpassword = $array["PASSWORD"];
$adminpassword = $unix->shellEscapeChars($adminpassword);
$adminname = $array["ADADMIN"];
$ad_server = $array["ADSERVER"];
$workgroup = $array["WORKGROUP"];
$ipaddr = trim($array["ADSERVER_IP"]);
if ($GLOBALS["VERBOSE"]) {
echo "{$function}, Using Password: {$adminpassword}";
}
if (function_exists("WriteToSyslogMail")) {
WriteToSyslogMail("Trying to relink this server with Active Directory {$ad_server}.{$domain_lower} server", basename(__FILE__));
}
echo "Starting......: " . date("H:i:s") . " Samba, [{$adminname}]: Kdc server ads : {$KDC_SERVER}\n";
if ($KDC_SERVER == null) {
$cmd = "{$netbin} ads join -W {$ad_server}.{$domain_lower} -S {$ad_server} -U {$adminname}%{$adminpassword} 2>&1";
if ($GLOBALS["VERBOSE"]) {
echo "Starting......: " . date("H:i:s") . " {$function}, {$cmd}\n";
}
exec("{$cmd}", $results);
while (list($index, $line) = each($results)) {
echo "Starting......: " . date("H:i:s") . " {$function}, ads join [{$adminname}]: {$line}\n";
}
$NetADSINFOS = $unix->SAMBA_GetNetAdsInfos();
$KDC_SERVER = $NetADSINFOS["KDC server"];
}
if ($KDC_SERVER == null) {
echo "Starting......: " . date("H:i:s") . " Samba, [{$adminname}]: unable to join the domain {$domain_lower}\n";
}
echo "Starting......: " . date("H:i:s") . " Samba, [{$adminname}]: setauthuser..\n";
$cmd = "{$netbin} setauthuser -U {$adminname}%{$adminpassword}";
if ($GLOBALS["VERBOSE"]) {
echo "Starting......: " . date("H:i:s") . " {$function}, {$cmd}\n";
}
shell_exec($cmd);
if ($ipaddr == null) {
$JOINEDRES = false;
echo "Starting......: " . date("H:i:s") . " Samba, [{$adminname} 0]: join for {$workgroup} (without IP addr)\n";
if ($GLOBALS["VERBOSE"]) {
echo "Starting......: " . date("H:i:s") . " {$function},[{$adminname} 0]: {$cmd}\n";
}
$cmd = "{$netbin} join -U {$adminname}%{$adminpassword} {$workgroup} 2>&1";
exec($cmd, $A1);
while (list($index, $line) = each($A1)) {
if (preg_match("#Joined#", $line)) {
echo "Starting......: " . date("H:i:s") . " Samba, [{$adminname} 0]: join for {$workgroup} (without IP addr) success\n";
$JOINEDRES = true;
break;
}
if (function_exists("WriteToSyslogMail")) {
WriteToSyslogMail("Starting......: " . date("H:i:s") . " Samba, {$line}", basename(__FILE__));
}
}
if (!$JOINEDRES) {
echo "Starting......: " . date("H:i:s") . " Samba, [{$adminname} 0]: join as netrpc.. (without IP addr)\n";
$cmd = "{$netbin} rpc join -U {$adminname}%{$adminpassword} {$workgroup} 2>&1";
exec($cmd, $A2);
if ($GLOBALS["VERBOSE"]) {
echo "Starting......: " . date("H:i:s") . " {$function}, {$cmd}\n";
}
while (list($index, $line) = each($A2)) {
if (preg_match("#Joined#", $line)) {
echo "Starting......: " . date("H:i:s") . " Samba, [{$adminname} 0]: join for {$workgroup} (without IP addr) success\n";
$JOINEDRES = true;
break;
}
if (function_exists("WriteToSyslogMail")) {
WriteToSyslogMail("Starting......: " . date("H:i:s") . " Samba, {$line}", basename(__FILE__));
}
}
}
}
if ($ipaddr != null) {
if (!$GLOBALS["VERBOSE"]) {
echo "Starting......: " . date("H:i:s") . " {$function}, [{$adminname} 1]: ads '{$netbin} ads join -I {$ipaddr} -U {$adminname}%**** {$workgroup}'\n";
}
//$cmd="$netbin ads join -S $ad_server.$domain_lower -I $ipaddr -U $adminname%$adminpassword 2>&1";
$cmd = "{$netbin} ads join -I {$ipaddr} -U {$adminname}%{$adminpassword} {$workgroup} 2>&1";
if ($GLOBALS["VERBOSE"]) {
echo "Starting......: " . date("H:i:s") . " {$function},[{$adminname} 1]: {$cmd}\n";
}
exec($cmd, $BIGRES2);
while (list($index, $line) = each($BIGRES2)) {
if (preg_match("#Failed to join#i", $line)) {
echo "Starting......: " . date("H:i:s") . " {$function}, [{$adminname} 1]: ads join failed ({$line}), using pure IP\n";
if (!$GLOBALS["VERBOSE"]) {
echo "Starting......: " . date("H:i:s") . " {$function}, [{$adminname} 1]: '{$netbin} ads join -I {$ipaddr} -U {$adminname}%*** {$workgroup}'\n";
}
$cmd = "{$netbin} ads join -I {$ipaddr} -U {$adminname}%{$adminpassword} {$workgroup} 2>&1";
if ($GLOBALS["VERBOSE"]) {
echo "Starting......: " . date("H:i:s") . " {$function}, {$cmd}\n";
}
$BIGRESS = array();
$BIGRES1 = array();
exec($cmd, $BIGRES1);
while (list($index, $line) = each($BIGRES1)) {
echo "Starting......: " . date("H:i:s") . " {$function}, [{$adminname} 2] {$line}\n";
if (function_exists("WriteToSyslogMail")) {
WriteToSyslogMail("Starting......: " . date("H:i:s") . " {$function}, {$line}", basename(__FILE__));
}
}
break;
}
echo "Starting......: " . date("H:i:s") . " Samba,[{$adminname} 1] {$line}\n";
if (function_exists("WriteToSyslogMail")) {
WriteToSyslogMail("Starting......: " . date("H:i:s") . " {$function}, {$line}", basename(__FILE__));
}
}
/*echo "Starting......: ".date("H:i:s")." Samba, [$adminname]: join with IP Adrr:$ipaddr..\n";
$cmd="$netbin join -U $adminname%$adminpassword -I $ipaddr";
if($GLOBALS["VERBOSE"]){echo "Starting......: ".date("H:i:s")." Samba, $cmd\n";}
shell_exec($cmd);*/
}
if ($KDC_SERVER == null) {
$NetADSINFOS = $unix->SAMBA_GetNetAdsInfos();
$KDC_SERVER = $NetADSINFOS["KDC server"];
}
if ($KDC_SERVER == null) {
echo "Starting......: " . date("H:i:s") . " Samba, [{$adminname}]: unable to join the domain {$domain_lower}\n";
}
echo "Starting......: " . date("H:i:s") . " Samba, [{$adminname}]: Kdc server ads : {$KDC_SERVER}\n";
unset($results);
$cmd = "{$netbin} ads keytab create -P -U {$adminname}%{$adminpassword} 2>&1";
if ($GLOBALS["VERBOSE"]) {
echo "Starting......: " . date("H:i:s") . " Samba, {$cmd}\n";
}
exec("{$cmd}", $results);
$php5 = $unix->LOCATE_PHP5_BIN();
$unix->THREAD_COMMAND_SET("{$php5} " . dirname(__FILE__) . "/exec.adusers.php --computers");
while (list($index, $line) = each($results)) {
echo "Starting......: " . date("H:i:s") . " Samba,ads keytab: [{$adminname}]: {$line}\n";
}
shell_exec("/etc/init.d/winbind restart");
}
function GetNetAdsInfos()
{
$unix = new unix();
@mkdir("/etc/squid3", 0755, true);
if (is_file("/etc/squid3/NET_ADS_INFOS")) {
$array = unserialize(@file_get_contents("/etc/squid3/NET_ADS_INFOS"));
if (count($array) > 5) {
echo "<articadatascgi>" . base64_encode(serialize($array)) . "</articadatascgi>";
return;
}
}
$net = $unix->LOCATE_NET_BIN_PATH();
if (!is_file($net)) {
return array();
}
exec("{$net} ads info 2>&1", $results);
while (list($index, $line) = each($results)) {
if (preg_match("#^(.+?):(.+)#", trim($line), $re)) {
$array[trim($re[1])] = trim($re[2]);
}
}
if (!isset($array["KDC server"])) {
$array["KDC server"] = null;
}
@file_put_contents("/etc/squid3/NET_ADS_INFOS", serialize($array));
echo "<articadatascgi>" . base64_encode(serialize($array)) . "</articadatascgi>";
}