[SCM] Samba Shared Repository - branch v3-0-test updated -
release-3-0-28-71-gf76f994
Michael Adam
obnox at samba.org
Thu Dec 20 09:51:08 GMT 2007
The branch, v3-0-test has been updated
via f76f994e471ff8f62714a51bdc15469e08aa7062 (commit)
via bce6c238edbbfe54807b549d17a07366feff2497 (commit)
via 18b3960ba9b3e07ca1c2abf1de24ef07f9f9dab3 (commit)
via a5d2a6fc40e033f2f8342269a6169d23b1bb4542 (commit)
via 10a8cf19d6a3d77dbf6c94748bfb3038f9b5ef8a (commit)
via fb04894949ef7fa54b3c1870ead7ea171c3f735b (commit)
via 88a04cf19a0d521d8d1bf0f3b8cf8273b42c0bdd (commit)
via a4337966e29cd67f542e2604117ca1c4be60ff42 (commit)
via c9b7bfbdcebd4ed892becfc291df9160bb101151 (commit)
via 3f15bbc8cf38ecfe58ad9b0711aa93201971dfd0 (commit)
via 9f2dcc2d6123fdb710eb2920c3158f38f67e1549 (commit)
via 0bdb00df8287779e75cfbb7b9e239a04442509d7 (commit)
via 63d27ae58658653b93178169ed74e2c96bfd5f56 (commit)
via 45d0b0db8aa92f56584bb8fab4ea525ea2b449c7 (commit)
via 0b850e805479dbed71589ba414c77539b78995b6 (commit)
via 263092d3541a2d33e3ac8ddc5088e66aa9d1ccfb (commit)
via c733a29f15eb6dfda6f3199839e714a58b778f20 (commit)
via cbb2ad1b1d3b388c6d4a4612338e9cc4eea351e1 (commit)
via de85ada7c3bb0cd1a0972682b1c4d99190549904 (commit)
via 2ccab1b3fa733199cbc382b63ba683de4e4ad596 (commit)
from 3cf02ba9781ff8c841f56945d70241a3c11f0f28 (commit)
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-0-test
- Log -----------------------------------------------------------------
commit f76f994e471ff8f62714a51bdc15469e08aa7062
Author: Michael Adam <obnox at samba.org>
Date: Wed Dec 19 18:18:30 2007 +0100
Only retrieve password policies in pam_auth when WBFLAG_PAM_GET_PWD is set.
This essentially re-establishes r14496 (2155bb0535656f294bd054d6a0a7d16a9a71c31b)
which was undone in r17723 (43bd8c00abb38eb23a1497a255d194fb1bbffffb) for
reasons that are unclear to me. Maybe I am being too naive.
Now we do again only retrieve the password policy when called from
the pam_winbind module. This fixes logons delegated to AD trusted
domain controllers: We need to connect to the sam to retrieve the
password policy. But auhtenticated session setup is not possible
when contacting the trusted domain dc and afterwards, SamrConnect
also fails with whatever credentials and method used.
Michael
commit bce6c238edbbfe54807b549d17a07366feff2497
Author: Michael Adam <obnox at samba.org>
Date: Tue Dec 18 07:58:38 2007 +0100
Fix a debug message: add missing space.
Michael
commit 18b3960ba9b3e07ca1c2abf1de24ef07f9f9dab3
Author: Michael Adam <obnox at samba.org>
Date: Tue Dec 18 01:55:32 2007 +0100
Fix logic error in cm_connect_sam().
Don't fall back to schannel when trust creds could be obtained.
This is still not complete, but I am getting closer.
Michael
commit a5d2a6fc40e033f2f8342269a6169d23b1bb4542
Author: Michael Adam <obnox at samba.org>
Date: Tue Dec 18 01:32:02 2007 +0100
Fix another segfault.
Michael
commit 10a8cf19d6a3d77dbf6c94748bfb3038f9b5ef8a
Author: Gerald (Jerry) Carter <jerry at samba.org>
Date: Mon Dec 17 17:33:48 2007 -0600
Fix a segv in winbindd caused by trying to free an fstring. Make a copy of the machine_password and machine_account strings in all conditional paths so that SAFE_FREE() will always be valid.
commit fb04894949ef7fa54b3c1870ead7ea171c3f735b
Author: Michael Adam <obnox at samba.org>
Date: Mon Dec 17 23:26:48 2007 +0100
Make cm_connect_sam() try harder to connect autheticated.
Even if the session setup was anonymous, try and collect
trust creds with get_trust_creds() and use these before
falling back to schannel.
This is the first attempt to fix interdomain trusts.
(get password policy and stuff)
Michael
commit 88a04cf19a0d521d8d1bf0f3b8cf8273b42c0bdd
Author: Michael Adam <obnox at samba.org>
Date: Mon Dec 17 23:24:36 2007 +0100
Refactor out assembling of trust creds (pw, account name, principal).
Michael
commit a4337966e29cd67f542e2604117ca1c4be60ff42
Author: Michael Adam <obnox at samba.org>
Date: Mon Dec 17 23:22:28 2007 +0100
Streamline and fix logic of cm_prepare_connection().
Do not attempt to do a session setup when in a trusted domain
situation (this gives STATUS_NOLOGON_TRUSTED_DOMAIN_ACCOUNT).
Use get_trust_pw_clear to get machine trust account.
Only call this when the results is really used.
Use the proper domain and account name for session setup.
Michael
commit c9b7bfbdcebd4ed892becfc291df9160bb101151
Author: Michael Adam <obnox at samba.org>
Date: Mon Dec 17 23:11:31 2007 +0100
Refactor out get_schannel_session_key logic.
Refactor the actual retrieval of the session key through the
established netlogon pipe out of get_schannel_session_key()
and get_schannel_session_key_auth_ntlmssp() into a new
function get_schannel_session_key_common().
(To avoid code duplication.)
Michael
commit 3f15bbc8cf38ecfe58ad9b0711aa93201971dfd0
Author: Michael Adam <obnox at samba.org>
Date: Mon Dec 17 22:37:29 2007 +0100
Pass NULL instead of unneeded &sid: secrets_fetch_trusted_domain_password() checks.
Michael
commit 9f2dcc2d6123fdb710eb2920c3158f38f67e1549
Author: Michael Adam <obnox at samba.org>
Date: Mon Dec 17 22:29:54 2007 +0100
Rename get_trust_pw() to get_trust_pw_hash().
Michael
commit 0bdb00df8287779e75cfbb7b9e239a04442509d7
Author: Michael Adam <obnox at samba.org>
Date: Mon Dec 17 22:26:52 2007 +0100
Export logic of get_trust_pw() to new function get_trust_pw_clear().
get_trust_pw() just now computes the md4 hash of the result of
get_trust_pw_clear() if that was successful. As a last resort,
in the non-trusted-domain-situation, get_trust_pw() now tries to
directly obtain the hashed version of the password out of secrets.tdb.
Michael
commit 63d27ae58658653b93178169ed74e2c96bfd5f56
Author: Michael Adam <obnox at samba.org>
Date: Mon Dec 17 17:49:13 2007 +0100
Refactor the lagacy part of secrets_fetch_trust_account_password() out
into a new function secrets_fetch_trust_account_password_legacy() that
does only try to obtain the hashed version of the machine password directly
from secrets.tdb.
Michael
commit 45d0b0db8aa92f56584bb8fab4ea525ea2b449c7
Author: Michael Adam <obnox at samba.org>
Date: Mon Dec 17 17:42:05 2007 +0100
Let get_trust_pw() determine the machine_account_name to use.
Up to now each caller used its own logic.
This eliminates code paths where there was a special treatment
of the following situation: the domain given is not our workgroup
(i.e. our own domain) and we are not a DC (i.e. it is not a typical
trusted domain situation). In situation the given domain name was
previously used as the machine account name, resulting in an account
name of DOMAIN\\DOMAIN$, which does not seem very reasonable to me.
get_trust_pw would not have obtained a password in this situation
anyways.
I hope I have not missed an important point here!
Michael
commit 0b850e805479dbed71589ba414c77539b78995b6
Author: Michael Adam <obnox at samba.org>
Date: Mon Dec 17 17:38:06 2007 +0100
Remove silly amounts of trailing white spaces.
Michael
commit 263092d3541a2d33e3ac8ddc5088e66aa9d1ccfb
Author: Michael Adam <obnox at samba.org>
Date: Tue Dec 11 12:47:28 2007 +0100
Streamline logic in cm_connect_netlogon()
by retrieving trust password only, when it will be used.
Michael
commit c733a29f15eb6dfda6f3199839e714a58b778f20
Author: Michael Adam <obnox at samba.org>
Date: Tue Sep 11 16:15:36 2007 +0000
r25086: Fix interdomain trusts (this povides the fix expected in r22709):
Fix winbindd on a Samba DC talking to a trusted domain DC by
making it use the trusted domain password...
Michael
I hope this does not brake any other setup.
commit cbb2ad1b1d3b388c6d4a4612338e9cc4eea351e1
Author: Gerald Carter <jerry at samba.org>
Date: Sun May 6 19:48:13 2007 +0000
r22709: we can only use tschannel when commectcing to our primary (might need some fixing here for a Samba DC)
commit de85ada7c3bb0cd1a0972682b1c4d99190549904
Author: Michael Adam <obnox at samba.org>
Date: Tue Dec 11 08:52:20 2007 +0100
In cm_prepare_connection(), only get auth user creds if we need to.
Michael
commit 2ccab1b3fa733199cbc382b63ba683de4e4ad596
Author: Michael Adam <obnox at samba.org>
Date: Mon Dec 17 15:19:38 2007 +0100
Remove two unneeded functions.
secrets_store_trust_account_password() and trust_password_delete()
are the write access functions to the SECRETS/$MACHINE.ACC/domain keys
in secrets.tdb, the md4 hashed machine passwords. These are not used
any more: Current code always writes the clear text password.
Michael
-----------------------------------------------------------------------
Summary of changes:
source/auth/auth_domain.c | 7 ++-
source/nsswitch/pam_winbind.c | 4 +-
source/nsswitch/winbindd_cm.c | 155 +++++++++++++++++++++++++--------------
source/nsswitch/winbindd_nss.h | 2 +-
source/nsswitch/winbindd_pam.c | 10 ++-
source/passdb/secrets.c | 157 +++++++++++++++++++++++++++-------------
source/rpc_client/cli_pipe.c | 131 ++++++++++++----------------------
7 files changed, 266 insertions(+), 200 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source/auth/auth_domain.c b/source/auth/auth_domain.c
index a32677d..3fae8b4 100644
--- a/source/auth/auth_domain.c
+++ b/source/auth/auth_domain.c
@@ -128,8 +128,11 @@ machine %s. Error was : %s.\n", dc_name, nt_errstr(result)));
uint32 neg_flags = NETLOGON_NEG_AUTH2_FLAGS;
uint32 sec_chan_type = 0;
unsigned char machine_pwd[16];
+ const char *account_name;
- if (!get_trust_pw(domain, machine_pwd, &sec_chan_type)) {
+ if (!get_trust_pw_hash(domain, machine_pwd, &account_name,
+ &sec_chan_type))
+ {
DEBUG(0, ("connect_to_domain_password_server: could not fetch "
"trust account password for domain '%s'\n",
domain));
@@ -143,7 +146,7 @@ machine %s. Error was : %s.\n", dc_name, nt_errstr(result)));
dc_name, /* server name */
domain, /* domain */
global_myname(), /* client name */
- global_myname(), /* machine account name */
+ account_name, /* machine account name */
machine_pwd,
sec_chan_type,
&neg_flags);
diff --git a/source/nsswitch/pam_winbind.c b/source/nsswitch/pam_winbind.c
index ec6361e..2846e14 100644
--- a/source/nsswitch/pam_winbind.c
+++ b/source/nsswitch/pam_winbind.c
@@ -1028,7 +1028,9 @@ static int winbind_auth_request(pam_handle_t * pamh,
request.data.auth.krb5_cc_type[0] = '\0';
request.data.auth.uid = -1;
- request.flags = WBFLAG_PAM_INFO3_TEXT | WBFLAG_PAM_CONTACT_TRUSTDOM;
+ request.flags = WBFLAG_PAM_INFO3_TEXT |
+ WBFLAG_PAM_GET_PWD_POLICY |
+ WBFLAG_PAM_CONTACT_TRUSTDOM;
if (ctrl & (WINBIND_KRB5_AUTH|WINBIND_CACHED_LOGIN)) {
struct passwd *pwd = NULL;
diff --git a/source/nsswitch/winbindd_cm.c b/source/nsswitch/winbindd_cm.c
index 9fa1ef1..6dc2522 100644
--- a/source/nsswitch/winbindd_cm.c
+++ b/source/nsswitch/winbindd_cm.c
@@ -585,6 +585,40 @@ static BOOL get_dc_name_via_netlogon(const struct winbindd_domain *domain,
return True;
}
+/**
+ * Helper function to assemble trust password and account name
+ */
+static NTSTATUS get_trust_creds(const struct winbindd_domain *domain,
+ char **machine_password,
+ char **machine_account,
+ char **machine_krb5_principal)
+{
+ const char *account_name;
+
+ if (!get_trust_pw_clear(domain->name, machine_password,
+ &account_name, NULL))
+ {
+ return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
+ }
+
+ if ((machine_account != NULL) &&
+ (asprintf(machine_account, "%s$", account_name) == -1))
+ {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ /* this is at least correct when domain is our domain,
+ * which is the only case, when this is currently used: */
+ if ((machine_krb5_principal != NULL) &&
+ (asprintf(machine_krb5_principal, "%s$@%s", account_name,
+ domain->alt_name) == -1))
+ {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ return NT_STATUS_OK;
+}
+
/************************************************************************
Given a fd with a just-connected TCP connection to a DC, open a connection
to the pipe.
@@ -596,8 +630,12 @@ static NTSTATUS cm_prepare_connection(const struct winbindd_domain *domain,
struct cli_state **cli,
BOOL *retry)
{
- char *machine_password, *machine_krb5_principal, *machine_account;
- char *ipc_username, *ipc_domain, *ipc_password;
+ char *machine_password = NULL;
+ char *machine_krb5_principal = NULL;
+ char *machine_account = NULL;
+ char *ipc_username = NULL;
+ char *ipc_domain = NULL;
+ char *ipc_password = NULL;
BOOL got_mutex;
@@ -611,23 +649,6 @@ static NTSTATUS cm_prepare_connection(const struct winbindd_domain *domain,
DEBUG(10,("cm_prepare_connection: connecting to DC %s for domain %s\n",
controller, domain->name ));
- machine_password = secrets_fetch_machine_password(lp_workgroup(), NULL,
- NULL);
-
- if (asprintf(&machine_account, "%s$", global_myname()) == -1) {
- SAFE_FREE(machine_password);
- return NT_STATUS_NO_MEMORY;
- }
-
- if (asprintf(&machine_krb5_principal, "%s$@%s", global_myname(),
- lp_realm()) == -1) {
- SAFE_FREE(machine_account);
- SAFE_FREE(machine_password);
- return NT_STATUS_NO_MEMORY;
- }
-
- cm_get_ipc_userpass(&ipc_username, &ipc_domain, &ipc_password);
-
*retry = True;
got_mutex = secrets_named_mutex(controller,
@@ -684,10 +705,20 @@ static NTSTATUS cm_prepare_connection(const struct winbindd_domain *domain,
result = NT_STATUS_UNSUCCESSFUL;
goto done;
}
-
- if ((*cli)->protocol >= PROTOCOL_NT1 && (*cli)->capabilities & CAP_EXTENDED_SECURITY) {
+
+ if (!is_trusted_domain_situation(domain->name) &&
+ (*cli)->protocol >= PROTOCOL_NT1 &&
+ (*cli)->capabilities & CAP_EXTENDED_SECURITY)
+ {
ADS_STATUS ads_status;
+ result = get_trust_creds(domain, &machine_password,
+ &machine_account,
+ &machine_krb5_principal);
+ if (!NT_STATUS_IS_OK(result)) {
+ goto done;
+ }
+
if (lp_security() == SEC_ADS) {
/* Try a krb5 session */
@@ -700,7 +731,7 @@ static NTSTATUS cm_prepare_connection(const struct winbindd_domain *domain,
ads_status = cli_session_setup_spnego(*cli,
machine_krb5_principal,
machine_password,
- lp_workgroup());
+ domain->name);
if (!ADS_ERR_OK(ads_status)) {
DEBUG(4,("failed kerberos session setup with %s\n",
@@ -710,7 +741,7 @@ static NTSTATUS cm_prepare_connection(const struct winbindd_domain *domain,
result = ads_ntstatus(ads_status);
if (NT_STATUS_IS_OK(result)) {
/* Ensure creds are stored for NTLMSSP authenticated pipe access. */
- cli_init_creds(*cli, machine_account, lp_workgroup(), machine_password);
+ cli_init_creds(*cli, machine_account, domain->name, machine_password);
goto session_setup_done;
}
}
@@ -720,12 +751,12 @@ static NTSTATUS cm_prepare_connection(const struct winbindd_domain *domain,
DEBUG(5, ("connecting to %s from %s with username "
"[%s]\\[%s]\n", controller, global_myname(),
- lp_workgroup(), machine_account));
+ domain->name, machine_account));
ads_status = cli_session_setup_spnego(*cli,
machine_account,
machine_password,
- lp_workgroup());
+ domain->name);
if (!ADS_ERR_OK(ads_status)) {
DEBUG(4, ("authenticated session setup failed with %s\n",
ads_errstr(ads_status)));
@@ -734,15 +765,17 @@ static NTSTATUS cm_prepare_connection(const struct winbindd_domain *domain,
result = ads_ntstatus(ads_status);
if (NT_STATUS_IS_OK(result)) {
/* Ensure creds are stored for NTLMSSP authenticated pipe access. */
- cli_init_creds(*cli, machine_account, lp_workgroup(), machine_password);
+ cli_init_creds(*cli, machine_account, domain->name, machine_password);
goto session_setup_done;
}
}
- /* Fall back to non-kerberos session setup */
+ /* Fall back to non-kerberos session setup with auth_user */
(*cli)->use_kerberos = False;
+ cm_get_ipc_userpass(&ipc_username, &ipc_domain, &ipc_password);
+
if ((((*cli)->sec_mode & NEGOTIATE_SECURITY_CHALLENGE_RESPONSE) != 0) &&
(strlen(ipc_username) > 0)) {
@@ -1689,6 +1722,9 @@ NTSTATUS cm_connect_sam(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
fstring conn_pwd;
struct dcinfo *p_dcinfo;
+ char *machine_password = NULL;
+ char *machine_account = NULL;
+ char *domain_name = NULL;
result = init_dc_connection(domain);
if (!NT_STATUS_IS_OK(result)) {
@@ -1711,10 +1747,25 @@ NTSTATUS cm_connect_sam(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
pwd_get_cleartext(&conn->cli->pwd, conn_pwd);
if ((conn->cli->user_name[0] == '\0') ||
(conn->cli->domain[0] == '\0') ||
- (conn_pwd[0] == '\0')) {
- DEBUG(10, ("cm_connect_sam: No no user available for "
- "domain %s, trying schannel\n", conn->cli->domain));
- goto schannel;
+ (conn_pwd[0] == '\0'))
+ {
+ result = get_trust_creds(domain, &machine_password,
+ &machine_account, NULL);
+ if (!NT_STATUS_IS_OK(result)) {
+ DEBUG(10, ("cm_connect_sam: No no user available for "
+ "domain %s, trying schannel\n", conn->cli->domain));
+ goto schannel;
+ }
+ domain_name = domain->name;
+ } else {
+ machine_password = SMB_STRDUP(conn_pwd);
+ machine_account = SMB_STRDUP(conn->cli->user_name);
+ domain_name = conn->cli->domain;
+ }
+
+ if (!machine_password || !machine_account) {
+ result = NT_STATUS_NO_MEMORY;
+ goto done;
}
/* We have an authenticated connection. Use a NTLMSSP SPNEGO
@@ -1722,23 +1773,23 @@ NTSTATUS cm_connect_sam(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
conn->samr_pipe =
cli_rpc_pipe_open_spnego_ntlmssp(conn->cli, PI_SAMR,
PIPE_AUTH_LEVEL_PRIVACY,
- conn->cli->domain,
- conn->cli->user_name,
- conn_pwd, &result);
+ domain_name,
+ machine_account,
+ machine_password, &result);
if (conn->samr_pipe == NULL) {
DEBUG(10,("cm_connect_sam: failed to connect to SAMR "
"pipe for domain %s using NTLMSSP "
"authenticated pipe: user %s\\%s. Error was "
- "%s\n", domain->name, conn->cli->domain,
- conn->cli->user_name, nt_errstr(result)));
+ "%s\n", domain->name, domain_name,
+ machine_account, nt_errstr(result)));
goto schannel;
}
DEBUG(10,("cm_connect_sam: connected to SAMR pipe for "
"domain %s using NTLMSSP authenticated "
"pipe: user %s\\%s\n", domain->name,
- conn->cli->domain, conn->cli->user_name ));
+ domain_name, machine_account));
result = rpccli_samr_connect(conn->samr_pipe, mem_ctx,
SEC_RIGHTS_MAXIMUM_ALLOWED,
@@ -1823,6 +1874,8 @@ NTSTATUS cm_connect_sam(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
*cli = conn->samr_pipe;
*sam_handle = conn->sam_domain_handle;
+ SAFE_FREE(machine_password);
+ SAFE_FREE(machine_account);
return result;
}
@@ -1973,36 +2026,27 @@ NTSTATUS cm_connect_netlogon(struct winbindd_domain *domain,
return NT_STATUS_OK;
}
- if (!get_trust_pw(domain->name, mach_pwd, &sec_chan_type)) {
- return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
- }
-
netlogon_pipe = cli_rpc_pipe_open_noauth(conn->cli, PI_NETLOGON,
&result);
if (netlogon_pipe == NULL) {
return result;
}
+ if ((!IS_DC) && (!domain->primary)) {
+ /* Clear the schannel request bit and drop down */
+ neg_flags &= ~NETLOGON_NEG_SCHANNEL;
+ goto no_schannel;
+ }
+
if (lp_client_schannel() != False) {
neg_flags |= NETLOGON_NEG_SCHANNEL;
}
- /* if we are a DC and this is a trusted domain, then we need to use our
- domain name in the net_req_auth2() request */
-
- if ( IS_DC
- && !strequal(domain->name, lp_workgroup())
- && lp_allow_trusted_domains() )
+ if (!get_trust_pw_hash(domain->name, mach_pwd, &account_name,
+ &sec_chan_type))
{
- account_name = lp_workgroup();
- } else {
- account_name = domain->primary ?
- global_myname() : domain->name;
- }
-
- if (account_name == NULL) {
cli_rpc_pipe_close(netlogon_pipe);
- return NT_STATUS_NO_MEMORY;
+ return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
}
result = rpccli_netlogon_setup_creds(
@@ -2027,6 +2071,7 @@ NTSTATUS cm_connect_netlogon(struct winbindd_domain *domain,
return NT_STATUS_ACCESS_DENIED;
}
+ no_schannel:
if ((lp_client_schannel() == False) ||
((neg_flags & NETLOGON_NEG_SCHANNEL) == 0)) {
/* We're done - just keep the existing connection to NETLOGON
diff --git a/source/nsswitch/winbindd_nss.h b/source/nsswitch/winbindd_nss.h
index 135849a..8f22e15 100644
--- a/source/nsswitch/winbindd_nss.h
+++ b/source/nsswitch/winbindd_nss.h
@@ -206,7 +206,7 @@ typedef struct winbindd_gr {
#define WBFLAG_PAM_KRB5 0x1000
#define WBFLAG_PAM_FALLBACK_AFTER_KRB5 0x2000
#define WBFLAG_PAM_CACHED_LOGIN 0x4000
-#define WBFLAG_PAM_GET_PWD_POLICY 0x8000 /* not used */
+#define WBFLAG_PAM_GET_PWD_POLICY 0x8000
#define WINBINDD_MAX_EXTRA_DATA (128*1024)
diff --git a/source/nsswitch/winbindd_pam.c b/source/nsswitch/winbindd_pam.c
index 589f483..e5e55e6 100644
--- a/source/nsswitch/winbindd_pam.c
+++ b/source/nsswitch/winbindd_pam.c
@@ -1517,11 +1517,13 @@ process_result:
}
}
- result = fillup_password_policy(domain, state);
+ if (state->request.flags & WBFLAG_PAM_GET_PWD_POLICY) {
+ result = fillup_password_policy(domain, state);
- if (!NT_STATUS_IS_OK(result)) {
- DEBUG(10,("Failed to get password policies: %s\n", nt_errstr(result)));
- goto done;
+ if (!NT_STATUS_IS_OK(result)) {
+ DEBUG(10,("Failed to get password policies: %s\n", nt_errstr(result)));
+ goto done;
+ }
}
if (state->request.flags & WBFLAG_PAM_UNIX_NAME) {
diff --git a/source/passdb/secrets.c b/source/passdb/secrets.c
index 3ac3a93..cd6c751 100644
--- a/source/passdb/secrets.c
+++ b/source/passdb/secrets.c
@@ -268,27 +268,19 @@ uint32 get_default_sec_channel(void)
/************************************************************************
Routine to get the trust account password for a domain.
+ This only tries to get the legacy hashed version of the password.
The user of this function must have locked the trust password file using
the above secrets_lock_trust_account_password().
************************************************************************/
-BOOL secrets_fetch_trust_account_password(const char *domain, uint8 ret_pwd[16],
- time_t *pass_last_set_time,
- uint32 *channel)
+BOOL secrets_fetch_trust_account_password_legacy(const char *domain,
+ uint8 ret_pwd[16],
+ time_t *pass_last_set_time,
+ uint32 *channel)
{
struct machine_acct_pass *pass;
- char *plaintext;
size_t size = 0;
- plaintext = secrets_fetch_machine_password(domain, pass_last_set_time,
- channel);
- if (plaintext) {
- DEBUG(4,("Using cleartext machine password\n"));
- E_md4hash(plaintext, ret_pwd);
- SAFE_FREE(plaintext);
- return True;
- }
-
if (!(pass = (struct machine_acct_pass *)secrets_fetch(
trust_keystr(domain), &size))) {
DEBUG(5, ("secrets_fetch failed!\n"));
@@ -321,6 +313,32 @@ BOOL secrets_fetch_trust_account_password(const char *domain, uint8 ret_pwd[16],
return True;
}
+/************************************************************************
+ Routine to get the trust account password for a domain.
+ The user of this function must have locked the trust password file using
+ the above secrets_lock_trust_account_password().
+************************************************************************/
+
+BOOL secrets_fetch_trust_account_password(const char *domain, uint8 ret_pwd[16],
+ time_t *pass_last_set_time,
+ uint32 *channel)
+{
+ char *plaintext;
+
+ plaintext = secrets_fetch_machine_password(domain, pass_last_set_time,
+ channel);
+ if (plaintext) {
+ DEBUG(4,("Using cleartext machine password\n"));
+ E_md4hash(plaintext, ret_pwd);
+ SAFE_FREE(plaintext);
+ return True;
+ }
+
+ return secrets_fetch_trust_account_password_legacy(domain, ret_pwd,
+ pass_last_set_time,
+ channel);
+}
+
/**
* Pack SID passed by pointer
*
@@ -500,20 +518,6 @@ BOOL secrets_fetch_trusted_domain_password(const char *domain, char** pwd,
return True;
}
-/************************************************************************
- Routine to set the trust account password for a domain.
-************************************************************************/
-
-BOOL secrets_store_trust_account_password(const char *domain, uint8 new_pwd[16])
-{
- struct machine_acct_pass pass;
-
- pass.mod_time = time(NULL);
- memcpy(pass.hash, new_pwd, 16);
-
- return secrets_store(trust_keystr(domain), (void *)&pass, sizeof(pass));
-}
-
/**
* Routine to store the password for trusted domain
*
@@ -655,54 +659,103 @@ char *secrets_fetch_machine_password(const char *domain,
return ret;
}
+BOOL is_trusted_domain_situation(const char *domain_name)
+{
+ return IS_DC &&
+ lp_allow_trusted_domains() &&
+ !strequal(domain_name, lp_workgroup());
+}
+
/*******************************************************************
- Wrapper around retrieving the trust account password
+ Wrapper around retrieving the clear text trust account password.
+ appropriate account name is stored in account_name.
+ Caller must free password, but not account_name.
*******************************************************************/
-
-BOOL get_trust_pw(const char *domain, uint8 ret_pwd[16], uint32 *channel)
+
+BOOL get_trust_pw_clear(const char *domain, char **ret_pwd,
+ const char **account_name, uint32 *channel)
{
- DOM_SID sid;
char *pwd;
time_t last_set_time;
-
+
/* if we are a DC and this is not our domain, then lookup an account
- for the domain trust */
-
- if ( IS_DC && !strequal(domain, lp_workgroup()) && lp_allow_trusted_domains() ) {
- if (!secrets_fetch_trusted_domain_password(domain, &pwd, &sid,
- &last_set_time)) {
+ * for the domain trust */
+
+ if (is_trusted_domain_situation(domain)) {
+ if (!secrets_fetch_trusted_domain_password(domain, ret_pwd,
+ NULL, &last_set_time))
+ {
--
Samba Shared Repository
More information about the samba-cvs
mailing list