svn commit: samba r24792 - in branches/SAMBA_3_2_0/source/utils: .

Wed Aug 29 20:53:11 GMT 2007

Author: mimir
Date: 2007-08-29 20:53:09 +0000 (Wed, 29 Aug 2007)
New Revision: 24792

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=24792

Log:
Merge from 3_2:

Add machine-authenticated connections to netlogon pipe of win2k and newer
(which may have anonymous connections restricted) and leave anonymous
for winnt domain.


rafal


Modified:
   branches/SAMBA_3_2_0/source/utils/net.c
   branches/SAMBA_3_2_0/source/utils/net_ads.c
   branches/SAMBA_3_2_0/source/utils/net_rpc_join.c


Changeset:
Modified: branches/SAMBA_3_2_0/source/utils/net.c
===================================================================

--- branches/SAMBA_3_2_0/source/utils/net.c	2007-08-29 20:49:09 UTC (rev 24791)
+++ branches/SAMBA_3_2_0/source/utils/net.c	2007-08-29 20:53:09 UTC (rev 24792)
@@ -341,10 +341,10 @@
 }
 
 /****************************************************************************
- Use the local machine's password for this session.
+ Use the local machine account (upn) and password for this session.
 ****************************************************************************/
 
-int net_use_machine_password(void) 
+int net_use_upn_machine_account(void) 
 {
 	char *user_name = NULL;
 
@@ -353,7 +353,6 @@
 		exit(1);
 	}
 
-	user_name = NULL;
 	opt_password = secrets_fetch_machine_password(opt_target_workgroup, NULL, NULL);
 	if (asprintf(&user_name, "%s$@%s", global_myname(), lp_realm()) == -1) {
 		return -1;
@@ -362,6 +361,27 @@
 	return 0;
 }
 
+/****************************************************************************
+ Use the machine account name and password for this session.
+****************************************************************************/
+
+int net_use_machine_account(void)
+{
+	char *user_name = NULL;
+		
+	if (!secrets_init()) {
+		d_fprintf(stderr, "ERROR: Unable to open secrets database\n");
+		exit(1);
+	}
+
+	opt_password = secrets_fetch_machine_password(opt_target_workgroup, NULL, NULL);
+	if (asprintf(&user_name, "%s$", global_myname()) == -1) {
+		return -1;
+	}
+	opt_user_name = user_name;
+	return 0;
+}
+
 BOOL net_find_server(const char *domain, unsigned flags, struct in_addr *server_ip, char **server_name)
 {
 	const char *d = domain ? domain : opt_target_workgroup;
@@ -1044,7 +1064,7 @@
 		/* it is very useful to be able to make ads queries as the
 		   machine account for testing purposes and for domain leave */
 
-		net_use_machine_password();
+		net_use_upn_machine_account();
 	}
 
 	if (!opt_password) {

Modified: branches/SAMBA_3_2_0/source/utils/net_ads.c
===================================================================
--- branches/SAMBA_3_2_0/source/utils/net_ads.c	2007-08-29 20:49:09 UTC (rev 24791)
+++ branches/SAMBA_3_2_0/source/utils/net_ads.c	2007-08-29 20:53:09 UTC (rev 24792)
@@ -882,7 +882,7 @@
 		return NT_STATUS_ACCESS_DENIED;
 	}
 
-	net_use_machine_password();
+	net_use_upn_machine_account();
 
 	status = ads_startup(True, &ads);
 	if (!ADS_ERR_OK(status)) {
@@ -2187,7 +2187,7 @@
 		return -1;
 	}
 
-	net_use_machine_password();
+	net_use_upn_machine_account();
 
 	use_in_memory_ccache();
 

Modified: branches/SAMBA_3_2_0/source/utils/net_rpc_join.c
===================================================================
--- branches/SAMBA_3_2_0/source/utils/net_rpc_join.c	2007-08-29 20:49:09 UTC (rev 24791)
+++ branches/SAMBA_3_2_0/source/utils/net_rpc_join.c	2007-08-29 20:53:09 UTC (rev 24792)
@@ -42,14 +42,29 @@
  **/
 int net_rpc_join_ok(const char *domain, const char *server, struct in_addr *ip )
 {
+	enum security_types sec;
+	unsigned int conn_flags = NET_FLAGS_PDC;
 	uint32 neg_flags = NETLOGON_NEG_AUTH2_FLAGS|NETLOGON_NEG_SCHANNEL;
 	struct cli_state *cli = NULL;
 	struct rpc_pipe_client *pipe_hnd = NULL;
 	struct rpc_pipe_client *netlogon_pipe = NULL;
 	NTSTATUS ntret = NT_STATUS_UNSUCCESSFUL;
 
+	sec = (enum security_types)lp_security();
+
+	if (sec == SEC_ADS) {
+		/* Connect to IPC$ using machine account's credentials. We don't use anonymous
+		   connection here, as it may be denied by server's local policy. */
+		net_use_machine_account();
+
+	} else {
+		/* some servers (e.g. WinNT) don't accept machine-authenticated
+		   smb connections */
+		conn_flags |= NET_FLAGS_ANONYMOUS;
+	}
+
 	/* Connect to remote machine */
-	if (!(cli = net_make_ipc_connection_ex(domain, server, ip, (NET_FLAGS_ANONYMOUS|NET_FLAGS_PDC)))) {
+	if (!(cli = net_make_ipc_connection_ex(domain, server, ip, conn_flags))) {
 		return -1;
 	}
 

