[SCM] Samba Shared Repository - branch v3-0-test updated - release-3-0-28a-1148-g6c8f19c

Günther Deschner gd at samba.org
Tue Apr 29 16:19:57 GMT 2008 

The branch, v3-0-test has been updated
       via  6c8f19cd6cc21106a71ab9d6bca5de76c71f0bca (commit)
       via  23decdf98961caa6d6561b1886d902c0d71418e4 (commit)
      from  ce475f86a2dae3db9c094105be1a3daedacfb40e (commit)

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-0-test


- Log -----------------------------------------------------------------
commit 6c8f19cd6cc21106a71ab9d6bca5de76c71f0bca
Author: Rafal Szczesniak <mimir at samba.org>
Date:   Fri Aug 31 21:25:53 2007 +0000

    r24853: Rename function as Jerry asked.
    s/net_use_upn_machine_account/net_use_krb_machine_account/
    
    rafal
    (cherry picked from commit 86af9fedad71697f22cc739518340f7753b8f9da)

commit 23decdf98961caa6d6561b1886d902c0d71418e4
Author: Rafal Szczesniak <mimir at samba.org>
Date:   Wed Aug 29 19:55:13 2007 +0000

    net: fix post join verification.
    
    This patch is based on commit 30d99d8ac3379caadc5bdb353977149d1ee16403
    and just a little modified to apply on 3-0-test.
    
    Guenther
    
    Original commit message:
    
    r24789: Add implementation of machine-authenticated connection to netlogon
    pipe used when connecting to win2k and newer domain controllers. The
    server may be configured to deny anonymous netlogon connections which
    would stop domain join verification step. Still, winnt domains require
    such smb sessions not to be authenticated using machine credentials.
    Creds employed in smb session cannot have a username in upn form, so
    provide the separate function to use machine account.
    
    rafal

-----------------------------------------------------------------------

Summary of changes:
 source/utils/net.c          |   28 ++++++++++++++++++++++++----
 source/utils/net_ads.c      |    4 ++--
 source/utils/net_rpc_join.c |   17 ++++++++++++++++-
 3 files changed, 42 insertions(+), 7 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source/utils/net.c b/source/utils/net.c
index 99384ad..5a81edb 100644
--- a/source/utils/net.c
+++ b/source/utils/net.c
@@ -346,10 +346,10 @@ NTSTATUS connect_dst_pipe(struct cli_state **cli_dst, struct rpc_pipe_client **p
 }
 
 /****************************************************************************
- Use the local machine's password for this session.
+ Use the local machine account (krb) and password for this session.
 ****************************************************************************/
 
-int net_use_machine_password(void) 
+int net_use_krb_machine_account(void) 
 {
 	char *user_name = NULL;
 
@@ -358,7 +358,6 @@ int net_use_machine_password(void)
 		exit(1);
 	}
 
-	user_name = NULL;
 	opt_password = secrets_fetch_machine_password(opt_target_workgroup, NULL, NULL);
 	if (asprintf(&user_name, "%s$@%s", global_myname(), lp_realm()) == -1) {
 		return -1;
@@ -367,6 +366,27 @@ int net_use_machine_password(void)
 	return 0;
 }
 
+/****************************************************************************
+ Use the machine account name and password for this session.
+****************************************************************************/
+
+int net_use_machine_account(void)
+{
+	char *user_name = NULL;
+		
+	if (!secrets_init()) {
+		d_fprintf(stderr, "ERROR: Unable to open secrets database\n");
+		exit(1);
+	}
+
+	opt_password = secrets_fetch_machine_password(opt_target_workgroup, NULL, NULL);
+	if (asprintf(&user_name, "%s$", global_myname()) == -1) {
+		return -1;
+	}
+	opt_user_name = user_name;
+	return 0;
+}
+
 BOOL net_find_server(const char *domain, unsigned flags, struct in_addr *server_ip, char **server_name)
 {
 	const char *d = domain ? domain : opt_target_workgroup;
@@ -1034,7 +1054,7 @@ static struct functable net_func[] = {
 		/* it is very useful to be able to make ads queries as the
 		   machine account for testing purposes and for domain leave */
 
-		net_use_machine_password();
+		net_use_krb_machine_account();
 	}
 
 	if (!opt_password) {
diff --git a/source/utils/net_ads.c b/source/utils/net_ads.c
index 75b631c..d6a52b8 100644
--- a/source/utils/net_ads.c
+++ b/source/utils/net_ads.c
@@ -886,7 +886,7 @@ static NTSTATUS net_ads_join_ok(void)
 		return NT_STATUS_ACCESS_DENIED;
 	}
 
-	net_use_machine_password();
+	net_use_krb_machine_account();
 
 	status = ads_startup(True, &ads);
 	if (!ADS_ERR_OK(status)) {
@@ -2170,7 +2170,7 @@ int net_ads_changetrustpw(int argc, const char **argv)
 		return -1;
 	}
 
-	net_use_machine_password();
+	net_use_krb_machine_account();
 
 	use_in_memory_ccache();
 
diff --git a/source/utils/net_rpc_join.c b/source/utils/net_rpc_join.c
index 139d1dc..63e77b3 100644
--- a/source/utils/net_rpc_join.c
+++ b/source/utils/net_rpc_join.c
@@ -44,13 +44,28 @@
 int net_rpc_join_ok(const char *domain, const char *server, struct in_addr *ip )
 {
 	uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
+	enum security_types sec;
+	unsigned int conn_flags = NET_FLAGS_PDC;
 	struct cli_state *cli = NULL;
 	struct rpc_pipe_client *pipe_hnd = NULL;
 	struct rpc_pipe_client *netlogon_pipe = NULL;
 	NTSTATUS ntret = NT_STATUS_UNSUCCESSFUL;
 
+	sec = (enum security_types)lp_security();
+
+	if (sec == SEC_ADS) {
+		/* Connect to IPC$ using machine account's credentials. We don't use anonymous
+		   connection here, as it may be denied by server's local policy. */
+		net_use_machine_account();
+
+	} else {
+		/* some servers (e.g. WinNT) don't accept machine-authenticated
+		   smb connections */
+		conn_flags |= NET_FLAGS_ANONYMOUS;
+	}
+
 	/* Connect to remote machine */
-	if (!(cli = net_make_ipc_connection_ex(domain, server, ip, (NET_FLAGS_ANONYMOUS|NET_FLAGS_PDC)))) {
+	if (!(cli = net_make_ipc_connection_ex(domain, server, ip, conn_flags))) {
 		return -1;
 	}
 


-- 
Samba Shared Repository

More information about the samba-cvs mailing list