diff options
author | Andrew Bartlett <abartlet@samba.org> | 2003-08-19 22:47:10 +0000 |
---|---|---|
committer | Andrew Bartlett <abartlet@samba.org> | 2003-08-19 22:47:10 +0000 |
commit | 96b4187963cedcfe158ff02868929b8cf81c6ebf (patch) | |
tree | 170c6cfe41d73b96cf2059d8a7d7b9310506cfd1 /source/nsswitch | |
parent | eaf883abc0a35dc648fca497248281ac68246341 (diff) | |
download | samba-96b4187963cedcfe158ff02868929b8cf81c6ebf.tar.gz samba-96b4187963cedcfe158ff02868929b8cf81c6ebf.tar.xz samba-96b4187963cedcfe158ff02868929b8cf81c6ebf.zip |
- Make 'net' use a single funciton for setting the 'use machine account' code.
- Make winbindd try to use kerberos for connections to DCs, so that it can
access RA=2 servers, particularly for netlogon.
- Make rpcclient follow the new flags for the NETLOGON pipe
- Make all the code that uses schannel use the centralised functions for doing so.
Andrew Bartlett
Diffstat (limited to 'source/nsswitch')
-rw-r--r-- | source/nsswitch/winbindd_cm.c | 90 |
1 files changed, 80 insertions, 10 deletions
diff --git a/source/nsswitch/winbindd_cm.c b/source/nsswitch/winbindd_cm.c index f07117b5ab8..eaf10168db0 100644 --- a/source/nsswitch/winbindd_cm.c +++ b/source/nsswitch/winbindd_cm.c @@ -116,7 +116,8 @@ static NTSTATUS cm_open_connection(const char *domain, const int pipe_index, struct winbindd_cm_conn *new_conn) { NTSTATUS result; - char *ipc_username, *ipc_domain, *ipc_password; + char *machine_password; + char *machine_krb5_principal, *ipc_username, *ipc_domain, *ipc_password; struct in_addr dc_ip; int i; BOOL retry = True; @@ -137,10 +138,15 @@ static NTSTATUS cm_open_connection(const char *domain, const int pipe_index, /* Initialise SMB connection */ - cm_get_ipc_userpass(&ipc_username, &ipc_domain, &ipc_password); + /* grab stored passwords */ + machine_password = secrets_fetch_machine_password(lp_workgroup(), NULL, NULL); + + if (asprintf(&machine_krb5_principal, "%s$@%s", global_myname(), lp_realm()) == -1) { + SAFE_FREE(machine_password); + return NT_STATUS_NO_MEMORY; + } - DEBUG(5, ("connecting to %s from %s with username [%s]\\[%s]\n", - new_conn->controller, global_myname(), ipc_domain, ipc_username)); + cm_get_ipc_userpass(&ipc_username, &ipc_domain, &ipc_password); for (i = 0; retry && (i < 3); i++) { BOOL got_mutex; @@ -150,12 +156,75 @@ static NTSTATUS cm_open_connection(const char *domain, const int pipe_index, continue; } - result = cli_full_connection(&new_conn->cli, global_myname(), new_conn->controller, - &dc_ip, 0, "IPC$", "IPC", ipc_username, ipc_domain, - ipc_password, CLI_FULL_CONNECTION_ANNONYMOUS_FALLBACK, - Undefined, &retry); - - secrets_named_mutex_release(new_conn->controller); + new_conn->cli = NULL; + result = cli_start_connection(&new_conn->cli, global_myname(), + new_conn->controller, + &dc_ip, 0, Undefined, + CLI_FULL_CONNECTION_USE_KERBEROS, + &retry); + + if (NT_STATUS_IS_OK(result)) { + if ((lp_security() == SEC_ADS) + && (new_conn->cli->protocol >= PROTOCOL_NT1 && new_conn->cli->capabilities & CAP_EXTENDED_SECURITY)) { + new_conn->cli->use_kerberos = True; + DEBUG(5, ("connecting to %s from %s with kerberos principal [%s]\n", + new_conn->controller, global_myname(), machine_krb5_principal)); + + if (!cli_session_setup_spnego(new_conn->cli, machine_krb5_principal, + machine_password, + domain)) { + result = cli_nt_error(new_conn->cli); + DEBUG(4,("failed kerberos session setup with %s\n", nt_errstr(result))); + if (NT_STATUS_IS_OK(result)) + result = NT_STATUS_UNSUCCESSFUL; + } + } + new_conn->cli->use_kerberos = False; + if (!NT_STATUS_IS_OK(result) + && new_conn->cli->sec_mode & NEGOTIATE_SECURITY_CHALLENGE_RESPONSE) { + DEBUG(5, ("connecting to %s from %s with username [%s]\\[%s]\n", + new_conn->controller, global_myname(), ipc_domain, ipc_username)); + + if (!cli_session_setup(new_conn->cli, ipc_username, + ipc_password, strlen(ipc_password)+1, + ipc_password, strlen(ipc_password)+1, + domain)) { + result = cli_nt_error(new_conn->cli); + DEBUG(4,("failed kerberos session setup with %s\n", nt_errstr(result))); + if (NT_STATUS_IS_OK(result)) + result = NT_STATUS_UNSUCCESSFUL; + } + } + if (!NT_STATUS_IS_OK(result)) { + if (!cli_session_setup(new_conn->cli, "", NULL, 0, + NULL, 0, + "")) { + result = cli_nt_error(new_conn->cli); + DEBUG(4,("failed kerberos session setup with %s\n", nt_errstr(result))); + if (NT_STATUS_IS_OK(result)) + result = NT_STATUS_UNSUCCESSFUL; + } + + } + if (NT_STATUS_IS_OK(result) && !cli_send_tconX(new_conn->cli, "IPC$", "IPC", + "", 0)) { + result = cli_nt_error(new_conn->cli); + DEBUG(1,("failed tcon_X with %s\n", nt_errstr(result))); + cli_shutdown(new_conn->cli); + if (NT_STATUS_IS_OK(result)) { + result = NT_STATUS_UNSUCCESSFUL; + } + } + } + + if (NT_STATUS_IS_OK(result)) { + struct ntuser_creds creds; + init_creds(&creds, ipc_username, ipc_domain, ipc_password); + cli_init_creds(new_conn->cli, &creds); + } + + if (got_mutex) + secrets_named_mutex_release(new_conn->controller); if (NT_STATUS_IS_OK(result)) break; @@ -164,6 +233,7 @@ static NTSTATUS cm_open_connection(const char *domain, const int pipe_index, SAFE_FREE(ipc_username); SAFE_FREE(ipc_domain); SAFE_FREE(ipc_password); + SAFE_FREE(machine_password); if (!NT_STATUS_IS_OK(result)) { add_failed_connection_entry(domain, new_conn->controller, result); |