summaryrefslogtreecommitdiffstats
path: root/source/nsswitch
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2003-08-19 22:47:10 +0000
committerAndrew Bartlett <abartlet@samba.org>2003-08-19 22:47:10 +0000
commit96b4187963cedcfe158ff02868929b8cf81c6ebf (patch)
tree170c6cfe41d73b96cf2059d8a7d7b9310506cfd1 /source/nsswitch
parenteaf883abc0a35dc648fca497248281ac68246341 (diff)
downloadsamba-96b4187963cedcfe158ff02868929b8cf81c6ebf.tar.gz
samba-96b4187963cedcfe158ff02868929b8cf81c6ebf.tar.xz
samba-96b4187963cedcfe158ff02868929b8cf81c6ebf.zip
- Make 'net' use a single funciton for setting the 'use machine account' code.
- Make winbindd try to use kerberos for connections to DCs, so that it can access RA=2 servers, particularly for netlogon. - Make rpcclient follow the new flags for the NETLOGON pipe - Make all the code that uses schannel use the centralised functions for doing so. Andrew Bartlett
Diffstat (limited to 'source/nsswitch')
-rw-r--r--source/nsswitch/winbindd_cm.c90
1 files changed, 80 insertions, 10 deletions
diff --git a/source/nsswitch/winbindd_cm.c b/source/nsswitch/winbindd_cm.c
index f07117b5ab8..eaf10168db0 100644
--- a/source/nsswitch/winbindd_cm.c
+++ b/source/nsswitch/winbindd_cm.c
@@ -116,7 +116,8 @@ static NTSTATUS cm_open_connection(const char *domain, const int pipe_index,
struct winbindd_cm_conn *new_conn)
{
NTSTATUS result;
- char *ipc_username, *ipc_domain, *ipc_password;
+ char *machine_password;
+ char *machine_krb5_principal, *ipc_username, *ipc_domain, *ipc_password;
struct in_addr dc_ip;
int i;
BOOL retry = True;
@@ -137,10 +138,15 @@ static NTSTATUS cm_open_connection(const char *domain, const int pipe_index,
/* Initialise SMB connection */
- cm_get_ipc_userpass(&ipc_username, &ipc_domain, &ipc_password);
+ /* grab stored passwords */
+ machine_password = secrets_fetch_machine_password(lp_workgroup(), NULL, NULL);
+
+ if (asprintf(&machine_krb5_principal, "%s$@%s", global_myname(), lp_realm()) == -1) {
+ SAFE_FREE(machine_password);
+ return NT_STATUS_NO_MEMORY;
+ }
- DEBUG(5, ("connecting to %s from %s with username [%s]\\[%s]\n",
- new_conn->controller, global_myname(), ipc_domain, ipc_username));
+ cm_get_ipc_userpass(&ipc_username, &ipc_domain, &ipc_password);
for (i = 0; retry && (i < 3); i++) {
BOOL got_mutex;
@@ -150,12 +156,75 @@ static NTSTATUS cm_open_connection(const char *domain, const int pipe_index,
continue;
}
- result = cli_full_connection(&new_conn->cli, global_myname(), new_conn->controller,
- &dc_ip, 0, "IPC$", "IPC", ipc_username, ipc_domain,
- ipc_password, CLI_FULL_CONNECTION_ANNONYMOUS_FALLBACK,
- Undefined, &retry);
-
- secrets_named_mutex_release(new_conn->controller);
+ new_conn->cli = NULL;
+ result = cli_start_connection(&new_conn->cli, global_myname(),
+ new_conn->controller,
+ &dc_ip, 0, Undefined,
+ CLI_FULL_CONNECTION_USE_KERBEROS,
+ &retry);
+
+ if (NT_STATUS_IS_OK(result)) {
+ if ((lp_security() == SEC_ADS)
+ && (new_conn->cli->protocol >= PROTOCOL_NT1 && new_conn->cli->capabilities & CAP_EXTENDED_SECURITY)) {
+ new_conn->cli->use_kerberos = True;
+ DEBUG(5, ("connecting to %s from %s with kerberos principal [%s]\n",
+ new_conn->controller, global_myname(), machine_krb5_principal));
+
+ if (!cli_session_setup_spnego(new_conn->cli, machine_krb5_principal,
+ machine_password,
+ domain)) {
+ result = cli_nt_error(new_conn->cli);
+ DEBUG(4,("failed kerberos session setup with %s\n", nt_errstr(result)));
+ if (NT_STATUS_IS_OK(result))
+ result = NT_STATUS_UNSUCCESSFUL;
+ }
+ }
+ new_conn->cli->use_kerberos = False;
+ if (!NT_STATUS_IS_OK(result)
+ && new_conn->cli->sec_mode & NEGOTIATE_SECURITY_CHALLENGE_RESPONSE) {
+ DEBUG(5, ("connecting to %s from %s with username [%s]\\[%s]\n",
+ new_conn->controller, global_myname(), ipc_domain, ipc_username));
+
+ if (!cli_session_setup(new_conn->cli, ipc_username,
+ ipc_password, strlen(ipc_password)+1,
+ ipc_password, strlen(ipc_password)+1,
+ domain)) {
+ result = cli_nt_error(new_conn->cli);
+ DEBUG(4,("failed kerberos session setup with %s\n", nt_errstr(result)));
+ if (NT_STATUS_IS_OK(result))
+ result = NT_STATUS_UNSUCCESSFUL;
+ }
+ }
+ if (!NT_STATUS_IS_OK(result)) {
+ if (!cli_session_setup(new_conn->cli, "", NULL, 0,
+ NULL, 0,
+ "")) {
+ result = cli_nt_error(new_conn->cli);
+ DEBUG(4,("failed kerberos session setup with %s\n", nt_errstr(result)));
+ if (NT_STATUS_IS_OK(result))
+ result = NT_STATUS_UNSUCCESSFUL;
+ }
+
+ }
+ if (NT_STATUS_IS_OK(result) && !cli_send_tconX(new_conn->cli, "IPC$", "IPC",
+ "", 0)) {
+ result = cli_nt_error(new_conn->cli);
+ DEBUG(1,("failed tcon_X with %s\n", nt_errstr(result)));
+ cli_shutdown(new_conn->cli);
+ if (NT_STATUS_IS_OK(result)) {
+ result = NT_STATUS_UNSUCCESSFUL;
+ }
+ }
+ }
+
+ if (NT_STATUS_IS_OK(result)) {
+ struct ntuser_creds creds;
+ init_creds(&creds, ipc_username, ipc_domain, ipc_password);
+ cli_init_creds(new_conn->cli, &creds);
+ }
+
+ if (got_mutex)
+ secrets_named_mutex_release(new_conn->controller);
if (NT_STATUS_IS_OK(result))
break;
@@ -164,6 +233,7 @@ static NTSTATUS cm_open_connection(const char *domain, const int pipe_index,
SAFE_FREE(ipc_username);
SAFE_FREE(ipc_domain);
SAFE_FREE(ipc_password);
+ SAFE_FREE(machine_password);
if (!NT_STATUS_IS_OK(result)) {
add_failed_connection_entry(domain, new_conn->controller, result);