svn commit: samba r10090 - in branches/tmp/RPCREWRITE/source/auth: .

Thu Sep 8 20:29:20 GMT 2005

Author: jra
Date: 2005-09-08 20:29:19 +0000 (Thu, 08 Sep 2005)
New Revision: 10090

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=10090

Log:
Fix up domain password check with no schannel.
Jeremy.

Modified:
   branches/tmp/RPCREWRITE/source/auth/auth_domain.c


Changeset:
Modified: branches/tmp/RPCREWRITE/source/auth/auth_domain.c
===================================================================

--- branches/tmp/RPCREWRITE/source/auth/auth_domain.c	2005-09-08 19:58:59 UTC (rev 10089)
+++ branches/tmp/RPCREWRITE/source/auth/auth_domain.c	2005-09-08 20:29:19 UTC (rev 10090)
@@ -104,17 +104,46 @@
 		netlogon_pipe = cli_rpc_pipe_open_schannel(*cli, PI_NETLOGON, PIPE_AUTH_LEVEL_PRIVACY, domain);
 	} else {
 		netlogon_pipe = cli_rpc_pipe_open_noauth(*cli, PI_NETLOGON);
+	}
 
-		/* We need to set up a creds chain on an unauthenticated pipe. */
-		ntresult = rpccli_netlogon_setup_creds(netlogon_pipe,
-						dc_name,
-						domain,
-						global_myname(),
-						trust_password,
-						sec_channel_type,
-						&neg_flags);
+	if(!netlogon_pipe) {
+		DEBUG(0,("connect_to_domain_password_server: unable to open the domain client session to \
+machine %s. Error was : %s.\n", dc_name, cli_errstr(*cli)));
+		cli_shutdown(*cli);
+		release_server_mutex();
+		return NT_STATUS_NO_LOGON_SERVERS;
 	}
 
+	if (!lp_client_schannel()) {
+		/* We need to set up a creds chain on an unauthenticated netlogon pipe. */
+		uint32 neg_flags = NETLOGON_NEG_AUTH2_FLAGS;
+		uint32 sec_chan_type = 0;
+		char machine_pwd[16];
+
+		if (!get_trust_pw(domain, machine_pwd, &sec_chan_type)) {
+			DEBUG(0, ("connect_to_domain_password_server: could not fetch "
+			"trust account password for domain '%s'\n",
+				domain));
+			cli_shutdown(*cli);
+			release_server_mutex();
+			return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
+		}
+
+		result = rpccli_netlogon_setup_creds(netlogon_pipe,
+					dc_name,
+					domain,
+					global_myname(),
+					machine_pwd,
+					sec_chan_type,
+					&neg_flags);
+
+		if (!NT_STATUS_IS_OK(result)) {
+			cli_shutdown(*cli);
+			release_server_mutex();
+			return result;
+		}
+	}
+
 	if(!netlogon_pipe) {
 		DEBUG(0,("connect_to_domain_password_server: unable to open the domain client session to \
 machine %s. Error was : %s.\n", dc_name, cli_errstr(*cli)));
@@ -345,8 +374,8 @@
 	 * No need to become_root() as secrets_init() is done at startup.
 	 */
 
-	if (!secrets_fetch_trusted_domain_password(user_info->domain.str, &trust_password, &sid, &last_change_time))
-	{
+	if (!secrets_fetch_trusted_domain_password(user_info->domain.str, &trust_password,
+				&sid, &last_change_time)) {
 		DEBUG(0, ("check_trustdomain_security: could not fetch trust account password for domain %s\n", user_info->domain.str));
 		return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
 	}

