svn commit: samba r2844 - in trunk/source/libads: .
mimir at samba.org
mimir at samba.org
Thu Oct 7 13:52:37 GMT 2004
Author: mimir
Date: 2004-10-07 13:52:36 +0000 (Thu, 07 Oct 2004)
New Revision: 2844
WebSVN: http://websvn.samba.org/websvn/changeset.php?rep=samba&path=/trunk/source/libads&rev=2844&nolog=1
Log:
Big patch. Switch from secrets_* functions to new trust passwords
api integrated with passdb interface.
- use pdb_* trust password interface instead of secrets_*
rafal
Modified:
trunk/source/libads/kerberos_keytab.c
trunk/source/libads/kerberos_verify.c
trunk/source/libads/util.c
Changeset:
Modified: trunk/source/libads/kerberos_keytab.c
===================================================================
--- trunk/source/libads/kerberos_keytab.c 2004-10-07 13:50:51 UTC (rev 2843)
+++ trunk/source/libads/kerberos_keytab.c 2004-10-07 13:52:36 UTC (rev 2844)
@@ -36,6 +36,8 @@
int ads_keytab_add_entry(ADS_STRUCT *ads, const char *srvPrinc)
{
krb5_error_code ret = 0;
+ NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL;
+ SAM_TRUST_PASSWD *trust = NULL;
krb5_context context = NULL;
krb5_keytab keytab = NULL;
krb5_kt_cursor cursor;
@@ -83,20 +85,19 @@
goto out;
}
- /* retrieve the password */
- if (!secrets_init()) {
- DEBUG(1,("ads_keytab_add_entry: secrets_init failed\n"));
- ret = -1;
- goto out;
+ nt_status = pdb_init_trustpw(&trust);
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ return False;
}
- password_s = secrets_fetch_machine_password(lp_workgroup(), NULL, NULL);
- if (!password_s) {
- DEBUG(1,("ads_keytab_add_entry: failed to fetch machine password\n"));
- ret = -1;
- goto out;
+
+ nt_status = pdb_gettrustpwnam(trust, lp_workgroup());
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ trust->free_fn(&trust);
+ return False;
}
- password.data = password_s;
- password.length = strlen(password_s);
+
+ password.data = trust->private.pass.data;
+ password.length = trust->private.pass.length;
/* Construct our principal */
name_to_fqdn(my_fqdn, global_myname());
@@ -253,6 +254,7 @@
SAFE_FREE(principal);
SAFE_FREE(password_s);
SAFE_FREE(princ_s);
+ trust->free_fn(&trust);
{
krb5_keytab_entry zero_kt_entry;
Modified: trunk/source/libads/kerberos_verify.c
===================================================================
--- trunk/source/libads/kerberos_verify.c 2004-10-07 13:50:51 UTC (rev 2843)
+++ trunk/source/libads/kerberos_verify.c 2004-10-07 13:52:36 UTC (rev 2844)
@@ -131,6 +131,8 @@
const DATA_BLOB *ticket, krb5_data *p_packet, krb5_ticket **pp_tkt)
{
krb5_error_code ret = 0;
+ NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL;
+ SAM_TRUST_PASSWD *trust = NULL;
BOOL auth_ok = False;
char *password_s = NULL;
krb5_data password;
@@ -142,14 +144,19 @@
return False;
}
- password_s = secrets_fetch_machine_password(lp_workgroup(), NULL, NULL);
- if (!password_s) {
- DEBUG(1,("ads_secrets_verify_ticket: failed to fetch machine password\n"));
+ nt_status = pdb_init_trustpw(&trust);
+ if (!NT_STATUS_IS_OK(nt_status)) {
return False;
}
- password.data = password_s;
- password.length = strlen(password_s);
+ nt_status = pdb_gettrustpwnam(trust, lp_workgroup());
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ trust->free_fn(&trust);
+ return False;
+ }
+
+ password.data = trust->private.pass.data;
+ password.length = trust->private.pass.length;
/* CIFS doesn't use addresses in tickets. This would break NAT. JRA */
@@ -197,6 +204,7 @@
free_kerberos_etypes(context, enctypes);
SAFE_FREE(password_s);
+ trust->free_fn(&trust);
return auth_ok;
}
Modified: trunk/source/libads/util.c
===================================================================
--- trunk/source/libads/util.c 2004-10-07 13:50:51 UTC (rev 2843)
+++ trunk/source/libads/util.c 2004-10-07 13:52:36 UTC (rev 2844)
@@ -25,17 +25,30 @@
ADS_STATUS ads_change_trust_account_password(ADS_STRUCT *ads, char *host_principal)
{
char *tmp_password;
+ NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL;
+ SAM_TRUST_PASSWD *trust = NULL;
char *password;
char *new_password;
char *service_principal;
ADS_STATUS ret;
uint32 sec_channel_type;
+
+ nt_status = pdb_init_trustpw(&trust);
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ DEBUG(0, ("Could not init trust password\n"));
+ return ADS_ERROR_SYSTEM(ENOMEM);
+ }
- if ((password = secrets_fetch_machine_password(lp_workgroup(), NULL, &sec_channel_type)) == NULL) {
- DEBUG(1,("Failed to retrieve password for principal %s\n", host_principal));
- return ADS_ERROR_SYSTEM(ENOENT);
+ nt_status = pdb_gettrustpwnam(trust, lp_workgroup());
+ if (!NT_STATUS_IS_OK(nt_status) || !(trust->private.flags | PASS_MACHINE_TRUST_ADS)) {
+ DEBUG(1,("Failed to retrieve password for principal %s\n", host_principal));
+ trust->free_fn(&trust);
+ return ADS_ERROR_SYSTEM(ENOENT);
}
-
+
+ password = trust->private.pass.data;
+ sec_channel_type = SCHANNEL_TYPE(trust->private.flags);
+
tmp_password = generate_random_str(DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH);
new_password = strdup(tmp_password);
@@ -45,14 +58,21 @@
if (!ADS_ERR_OK(ret)) goto failed;
- if (!secrets_store_machine_password(new_password, lp_workgroup(), sec_channel_type)) {
- DEBUG(1,("Failed to save machine password\n"));
+ pdb_set_tp_pass(trust, new_password, strlen(new_password) + 1);
+ trust->private.pass.data[trust->private.pass.length] = '\0';
+ pdb_set_tp_mod_time(trust, time(NULL));
+
+ nt_status = pdb_update_trust_passwd(trust);
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ DEBUG(1,("Failed to update trust password\n"));
+ trust->free_fn(&trust);
return ADS_ERROR_SYSTEM(EACCES);
}
-
+
failed:
SAFE_FREE(service_principal);
SAFE_FREE(new_password);
+ trust->free_fn(&trust);
return ret;
}
More information about the samba-cvs
mailing list