svn commit: samba r4893 - in branches/SAMBA_4_0/source/libcli/auth: .

Fri Jan 21 11:23:18 GMT 2005

Author: abartlet
Date: 2005-01-21 11:23:11 +0000 (Fri, 21 Jan 2005)
New Revision: 4893

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=4893

Log:
Move to using secrets.ldb for the Kerberos verify, instead of
secrets.tdb from Samba3.

Andrew Bartlett

Modified:
   branches/SAMBA_4_0/source/libcli/auth/kerberos_verify.c


Changeset:
Modified: branches/SAMBA_4_0/source/libcli/auth/kerberos_verify.c
===================================================================

--- branches/SAMBA_4_0/source/libcli/auth/kerberos_verify.c	2005-01-21 11:23:11 UTC (rev 4892)
+++ branches/SAMBA_4_0/source/libcli/auth/kerberos_verify.c	2005-01-21 11:23:11 UTC (rev 4893)
@@ -26,6 +26,8 @@
 #include "system/kerberos.h"
 #include "libcli/auth/kerberos.h"
 #include "asn_1.h"
+#include "lib/ldb/include/ldb.h"
+#include "secrets.h"
 
 #ifdef HAVE_KRB5
 
@@ -179,27 +181,47 @@
 						 krb5_keyblock *keyblock)
 {
 	krb5_error_code ret = 0;
-	char *password_s = NULL;
 	krb5_data password;
 	krb5_enctype *enctypes = NULL;
 	int i;
-
+	const struct ldb_val *password_v;
+	struct ldb_wrap *ldb;
+	int ldb_ret;
+	struct ldb_message **msgs;
+	const char *base_dn = SECRETS_PRIMARY_DOMAIN_DN;
+	const char *attrs[] = {
+		"secret",
+		NULL
+	};
+	
 	ZERO_STRUCTP(keyblock);
 
-	if (!secrets_init()) {
-		DEBUG(1,("ads_secrets_verify_ticket: secrets_init failed\n"));
-		return KRB5_KT_END;
+	/* Local secrets are stored in secrets.ldb */
+	ldb = secrets_db_connect(mem_ctx);
+	if (!ldb) {
+		return ENOENT;
 	}
 
-	password_s = secrets_fetch_machine_password(lp_workgroup());
-	if (!password_s) {
-		DEBUG(1,("ads_secrets_verify_ticket: failed to fetch machine password\n"));
-		return KRB5_KT_END;
+	/* search for the secret record */
+	ldb_ret = samdb_search(ldb,
+			       mem_ctx, base_dn, &msgs, attrs,
+			       "(&(realm=%s)(objectclass=primaryDomain))", 
+			       lp_realm());
+	if (ldb_ret == 0) {
+		DEBUG(1, ("Could not find domain join record for %s\n",
+			  lp_realm()));
+		return ENOENT;
+	} else if (ldb_ret != 1) {
+		DEBUG(1, ("Found %d records matching cn=%s under DN %s\n", ldb_ret, 
+			  lp_realm(), base_dn));
+		return ENOENT;
 	}
 
-	password.data = password_s;
-	password.length = strlen(password_s);
+	password_v = ldb_msg_find_ldb_val(msgs[0], "secret");
 
+	password.data = password_v->data;
+	password.length = password_v->length;
+
 	/* CIFS doesn't use addresses in tickets. This would break NAT. JRA */
 
 	if ((ret = get_kerberos_allowed_etypes(context, &enctypes))) {
@@ -247,7 +269,6 @@
  out:
 
 	free_kerberos_etypes(context, enctypes);
-	SAFE_FREE(password_s);
 
 	return ret;
 }

