Add support for userid/passwd auth on session setup from winbind to DC. Allows winbind to function in a 2k domain with restrict anonymous, or in a domain which trusts one like it.

4 files changed, 74 insertions, 5 deletions

diff --git a/source/Makefile.in b/source/Makefile.in
index fe62fc96b8b..281a779a6fd 100644
--- a/source/Makefile.in
+++ b/source/Makefile.in
@@ -392,7 +392,8 @@ WINBINDD_OBJ = \
 		$(GROUPDB_OBJ) $(PROFILE_OBJ) \
 		$(NECESSARY_BECAUSE_SAMBA_DEPENDENCIES_ARE_SO_BROKEN_OBJ)
 
-WBINFO_OBJ = nsswitch/wbinfo.o libsmb/smbencrypt.o libsmb/smbdes.o
+WBINFO_OBJ = nsswitch/wbinfo.o libsmb/smbencrypt.o libsmb/smbdes.o \
+	passdb/secrets.o
 
 WINBIND_NSS_OBJ = nsswitch/winbind_nss.o nsswitch/wb_common.o
 
diff --git a/source/nsswitch/wbinfo.c b/source/nsswitch/wbinfo.c
index 988f7d8ca48..a3cc8cb3307 100644
--- a/source/nsswitch/wbinfo.c
+++ b/source/nsswitch/wbinfo.c
@@ -420,12 +420,40 @@ static BOOL print_domain_groups(void)
 	return True;
 }
 
+/* Set the authorised user for winbindd access in secrets.tdb */
+
+static BOOL wbinfo_set_auth_user(char *username)
+{
+	char *password;
+
+	/* Separate into user and password */
+
+	password = strchr(username, '%');
+
+	if (password) {
+		*password = 0;
+		password++;
+	} else
+		password = "";
+
+	/* Store in secrets.tdb */
+
+	if (!secrets_init() ||
+	    !secrets_store(SECRETS_AUTH_USER, username, strlen(username) + 1) ||
+	    !secrets_store(SECRETS_AUTH_PASSWORD, password, strlen(password) + 1)) {
+		fprintf(stderr, "error storing authenticated user info\n");
+		return False;
+	}
+
+	return True;
+}
+
 /* Print program usage */
 
 static void usage(void)
 {
 	printf("Usage: wbinfo -ug | -n name | -sSY sid | -UG uid/gid | -tm "
-               "| -a user%%password\n");
+               "| -aA user%%password\n");
 	printf("\t-u\t\t\tlists all domain users\n");
 	printf("\t-g\t\t\tlists all domain groups\n");
 	printf("\t-n name\t\t\tconverts name to sid\n");
@@ -438,6 +466,7 @@ static void usage(void)
 	printf("\t-m\t\t\tlist trusted domains\n");
 	printf("\t-r user\t\t\tget user groups\n");
 	printf("\t-a user%%password\tauthenticate user\n");
+	printf("\t-A user%%password\tstore session setup auth password\n");
 }
 
 /* Main program */
@@ -478,7 +507,7 @@ int main(int argc, char **argv)
 		return 1;
 	}
 
-	while ((opt = getopt(argc, argv, "ugs:n:U:G:S:Y:tmr:a:")) != EOF) {
+	while ((opt = getopt(argc, argv, "ugs:n:U:G:S:Y:tmr:a:A:")) != EOF) {
 		switch (opt) {
 		case 'u':
 			if (!print_domain_users()) {
@@ -571,6 +600,12 @@ int main(int argc, char **argv)
                         break;
 				
                 }
+		case 'A': {
+			if (!(wbinfo_set_auth_user(optarg))) {
+				return 1;
+			}
+			break;
+		}
                       /* Invalid option */
 
 		default:
diff --git a/source/nsswitch/winbindd.h b/source/nsswitch/winbindd.h
index 5974f330ece..5d1b43527bd 100644
--- a/source/nsswitch/winbindd.h
+++ b/source/nsswitch/winbindd.h
@@ -117,4 +117,9 @@ typedef struct {
 #define SETENV(name, value, overwrite) ;
 #endif
 
+/* Authenticated user info is stored in secrets.tdb under these keys */
+
+#define SECRETS_AUTH_USER      "SECRETS/AUTH_USER"
+#define SECRETS_AUTH_PASSWORD  "SECRETS/AUTH_PASSWORD"
+
 #endif /* _WINBINDD_H */
diff --git a/source/nsswitch/winbindd_cm.c b/source/nsswitch/winbindd_cm.c
index f11d86d4c1b..21bea9da301 100644
--- a/source/nsswitch/winbindd_cm.c
+++ b/source/nsswitch/winbindd_cm.c
@@ -182,6 +182,35 @@ static BOOL cm_get_dc_name(char *domain, fstring srv_name)
 	return True;
 }
 
+/* Choose between anonymous or authenticated connections.  We need to use
+   an authenticated connection if DCs have the RestrictAnonymous registry
+   entry set > 0, or the "Additional restrictions for anonymous
+   connections" set in the win2k Local Security Policy. */
+
+void cm_init_creds(struct ntuser_creds *creds)
+{
+	char *username, *password;
+
+	ZERO_STRUCTP(creds);
+
+	creds->pwd.null_pwd = True; /* anonymoose */
+
+	username = secrets_fetch(SECRETS_AUTH_USER, NULL);
+	password = secrets_fetch(SECRETS_AUTH_PASSWORD, NULL);
+
+	if (username && *username) {
+		pwd_set_cleartext(&creds->pwd, password);
+		pwd_make_lm_nt_16(&creds->pwd, password);
+
+		fstrcpy(creds->user_name, username);
+		fstrcpy(creds->domain, lp_workgroup());
+
+		DEBUG(3, ("IPC$ connections done %s\\%s\n", creds->domain,
+			  creds->user_name));
+	} else 
+		DEBUG(3, ("IPC$ connections done anonymously\n"));
+}
+
 /* Open a new smb pipe connection to a DC on a given domain.  Cache
    negative creation attempts so we don't try and connect to broken
    machines too often. */
@@ -257,8 +286,7 @@ static BOOL cm_open_connection(char *domain, char *pipe_name,
 	make_nmb_name(&called, dns_to_netbios_name(new_conn->controller), 0x20);
 	make_nmb_name(&calling, dns_to_netbios_name(global_myname), 0);
 
-	ZERO_STRUCT(creds);
-	creds.pwd.null_pwd = 1;
+	cm_init_creds(&creds);
 
 	cli_init_creds(new_conn->cli, &creds);