[SCM] Samba Shared Repository - branch master updated

Andrew Bartlett abartlet at samba.org
Sat Jul 14 21:42:02 MDT 2012


The branch, master has been updated
       via  dff29e4 auth/credentials: Look in the secrets.tdb for the machine account
       via  6d24c89 s4-param: Use a unique header name
       via  4b61c48 s3-secrets: Use C99 types
      from  726ecf6 Fix bug #9016 - Connection to outbound trusted domain goes offline.

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit dff29e4aee5f6adda32e5a0905d3c46e810feb27
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Sat Jul 14 22:23:41 2012 +1000

    auth/credentials: Look in the secrets.tdb for the machine account
    
    This is for use with the -P/--machine-pass option.
    
    Andrew Bartlett
    
    Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
    Autobuild-Date(master): Sun Jul 15 05:41:28 CEST 2012 on sn-devel-104

commit 6d24c899db76161a6f8d092b6fae054c6e663432
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Sat Jul 14 22:22:37 2012 +1000

    s4-param: Use a unique header name

commit 4b61c4891a309172057caf058c39931fe752bd65
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Sat Jul 14 22:18:29 2012 +1000

    s3-secrets: Use C99 types

-----------------------------------------------------------------------

Summary of changes:
 auth/credentials/credentials_secrets.c   |   51 ++++++++++++++++++++++++++++-
 auth/credentials/wscript_build           |    2 +-
 source3/include/secrets.h                |   10 +++---
 source3/passdb/machine_account_secrets.c |   12 +++---
 source4/param/secrets.h                  |    6 ++--
 5 files changed, 64 insertions(+), 17 deletions(-)


Changeset truncated at 500 lines:

diff --git a/auth/credentials/credentials_secrets.c b/auth/credentials/credentials_secrets.c
index bc08d9d..8206173 100644
--- a/auth/credentials/credentials_secrets.c
+++ b/auth/credentials/credentials_secrets.c
@@ -34,6 +34,11 @@
 #include "param/param.h"
 #include "lib/events/events.h"
 #include "dsdb/samdb/samdb.h"
+#include "source3/include/secrets.h"
+#include "dbwrap/dbwrap.h"
+#include "dbwrap/dbwrap_open.h"
+#include "lib/util/util_tdb.h"
+
 
 /**
  * Fill in credentials for the machine trust account, from the secrets database.
@@ -197,17 +202,59 @@ _PUBLIC_ NTSTATUS cli_credentials_set_machine_account(struct cli_credentials *cr
 	NTSTATUS status;
 	char *filter;
 	char *error_string;
+	const char *domain;
 	/* Bleh, nasty recursion issues: We are setting a machine
 	 * account here, so we don't want the 'pending' flag around
 	 * any more */
 	cred->machine_account_pending = false;
+
+	/* We have to do this, as the fallback in
+	 * cli_credentials_set_secrets is to run as anonymous, so the domain is wiped */
+	domain = cli_credentials_get_domain(cred);
 	filter = talloc_asprintf(cred, SECRETS_PRIMARY_DOMAIN_FILTER, 
-				 cli_credentials_get_domain(cred));
+				 domain);
 	status = cli_credentials_set_secrets(cred, lp_ctx, NULL,
 					     SECRETS_PRIMARY_DOMAIN_DN,
 					     filter, &error_string);
+	if (NT_STATUS_EQUAL(NT_STATUS_CANT_ACCESS_DOMAIN_INFO, status)
+	    || NT_STATUS_EQUAL(NT_STATUS_NOT_FOUND, status)) {
+		TDB_DATA dbuf;
+		char *secrets_tdb = lpcfg_private_path(cred, lp_ctx, "secrets.tdb");
+		struct db_context *db_ctx = dbwrap_local_open(cred, lp_ctx, secrets_tdb, 0,
+							      TDB_DEFAULT, O_RDWR, 0600,
+							      DBWRAP_LOCK_ORDER_1);
+		if (db_ctx) {
+			char *keystr;
+			char *keystr_upper;
+			keystr = talloc_asprintf(cred, "%s/%s",
+						 SECRETS_MACHINE_PASSWORD,
+						 domain);
+			keystr_upper = strupper_talloc(cred, keystr);
+			TALLOC_FREE(keystr);
+			status = dbwrap_fetch(db_ctx, cred, string_tdb_data(keystr_upper),
+					      &dbuf);
+			
+			if (NT_STATUS_IS_OK(status)) {
+				char *machine_account = talloc_asprintf(cred, "%s$", lpcfg_netbios_name(lp_ctx));
+				cli_credentials_set_password(cred, (const char *)dbuf.dptr, CRED_SPECIFIED);
+				cli_credentials_set_domain(cred, domain, CRED_SPECIFIED);
+				cli_credentials_set_username(cred, machine_account, CRED_SPECIFIED);
+				TALLOC_FREE(machine_account);
+				TALLOC_FREE(dbuf.dptr);
+			} else {
+				error_string = talloc_asprintf(cred, 
+							       "Failed to fetch machine account password from "
+							       "secrets.ldb: %s and failed to fetch %s from %s", 
+							       error_string, keystr_upper, secrets_tdb);
+			}
+			TALLOC_FREE(keystr_upper);
+			TALLOC_FREE(secrets_tdb);
+		}
+	}
+	
 	if (!NT_STATUS_IS_OK(status)) {
-		DEBUG(1, ("Could not find machine account in secrets database: %s: %s\n", nt_errstr(status), error_string));
+		DEBUG(1, ("Could not find machine account in secrets database: %s: %s\n", 
+			  error_string, nt_errstr(status)));
 		talloc_free(error_string);
 	}
 	return status;
diff --git a/auth/credentials/wscript_build b/auth/credentials/wscript_build
index a7936e9..0b2aec2 100755
--- a/auth/credentials/wscript_build
+++ b/auth/credentials/wscript_build
@@ -17,7 +17,7 @@ bld.SAMBA_SUBSYSTEM('CREDENTIALS_KRB5',
 
 bld.SAMBA_SUBSYSTEM('CREDENTIALS_SECRETS',
 	source='credentials_secrets.c',
-	deps='CREDENTIALS_KRB5 CREDENTIALS_NTLM ldb SECRETS samdb-common',
+	deps='CREDENTIALS_KRB5 CREDENTIALS_NTLM ldb SECRETS samdb-common dbwrap',
 	)
 
 bld.SAMBA_SUBSYSTEM('CREDENTIALS_NTLM',
diff --git a/source3/include/secrets.h b/source3/include/secrets.h
index 5b778d1..fa215ff 100644
--- a/source3/include/secrets.h
+++ b/source3/include/secrets.h
@@ -58,7 +58,7 @@
 /* structure for storing machine account password
    (ie. when samba server is member of a domain */
 struct machine_acct_pass {
-	uint8 hash[16];
+	uint8_t hash[16];
 	time_t mod_time;
 };
 
@@ -69,12 +69,12 @@ struct machine_acct_pass {
 #define SECRETS_AFS_MAXKEYS 8
 
 struct afs_key {
-	uint32 kvno;
+	uint32_t kvno;
 	char key[8];
 };
 
 struct afs_keyfile {
-	uint32 nkeys;
+	uint32_t nkeys;
 	struct afs_key entry[SECRETS_AFS_MAXKEYS];
 };
 
@@ -100,10 +100,10 @@ bool secrets_fetch_domain_guid(const char *domain, struct GUID *guid);
 void *secrets_get_trust_account_lock(TALLOC_CTX *mem_ctx, const char *domain);
 enum netr_SchannelType get_default_sec_channel(void);
 bool secrets_fetch_trust_account_password_legacy(const char *domain,
-						 uint8 ret_pwd[16],
+						 uint8_t ret_pwd[16],
 						 time_t *pass_last_set_time,
 						 enum netr_SchannelType *channel);
-bool secrets_fetch_trust_account_password(const char *domain, uint8 ret_pwd[16],
+bool secrets_fetch_trust_account_password(const char *domain, uint8_t ret_pwd[16],
 					  time_t *pass_last_set_time,
 					  enum netr_SchannelType *channel);
 bool secrets_fetch_trusted_domain_password(const char *domain, char** pwd,
diff --git a/source3/passdb/machine_account_secrets.c b/source3/passdb/machine_account_secrets.c
index 463de71..30f5f82 100644
--- a/source3/passdb/machine_account_secrets.c
+++ b/source3/passdb/machine_account_secrets.c
@@ -313,7 +313,7 @@ enum netr_SchannelType get_default_sec_channel(void)
 ************************************************************************/
 
 bool secrets_fetch_trust_account_password_legacy(const char *domain,
-						 uint8 ret_pwd[16],
+						 uint8_t ret_pwd[16],
 						 time_t *pass_last_set_time,
 						 enum netr_SchannelType *channel)
 {
@@ -351,7 +351,7 @@ bool secrets_fetch_trust_account_password_legacy(const char *domain,
  the above secrets_lock_trust_account_password().
 ************************************************************************/
 
-bool secrets_fetch_trust_account_password(const char *domain, uint8 ret_pwd[16],
+bool secrets_fetch_trust_account_password(const char *domain, uint8_t ret_pwd[16],
 					  time_t *pass_last_set_time,
 					  enum netr_SchannelType *channel)
 {
@@ -442,8 +442,8 @@ bool secrets_store_machine_password(const char *pass, const char *domain,
 				    enum netr_SchannelType sec_channel)
 {
 	bool ret;
-	uint32 last_change_time;
-	uint32 sec_channel_type;
+	uint32_t last_change_time;
+	uint32_t sec_channel_type;
 
 	if (!secrets_store_prev_machine_password(domain)) {
 		return false;
@@ -487,7 +487,7 @@ char *secrets_fetch_machine_password(const char *domain,
 
 	if (pass_last_set_time) {
 		size_t size;
-		uint32 *last_set_time;
+		uint32_t *last_set_time;
 		last_set_time = (unsigned int *)secrets_fetch(machine_last_change_time_keystr(domain), &size);
 		if (last_set_time) {
 			*pass_last_set_time = IVAL(last_set_time,0);
@@ -499,7 +499,7 @@ char *secrets_fetch_machine_password(const char *domain,
 
 	if (channel) {
 		size_t size;
-		uint32 *channel_type;
+		uint32_t *channel_type;
 		channel_type = (unsigned int *)secrets_fetch(machine_sec_channel_type_keystr(domain), &size);
 		if (channel_type) {
 			*channel = IVAL(channel_type,0);
diff --git a/source4/param/secrets.h b/source4/param/secrets.h
index 6576929..1e7849f 100644
--- a/source4/param/secrets.h
+++ b/source4/param/secrets.h
@@ -17,8 +17,8 @@
  * this program; if not, see <http://www.gnu.org/licenses/>.  
  */
 
-#ifndef _SECRETS_H
-#define _SECRETS_H
+#ifndef _SOURCE4_PARAM_SECRETS_H
+#define _SOURCE4_PARAM_SECRETS_H
 
 #define SECRETS_PRIMARY_DOMAIN_DN "cn=Primary Domains"
 #define SECRETS_PRINCIPALS_DN "cn=Principals"
@@ -54,4 +54,4 @@ struct dom_sid *secrets_get_domain_sid(TALLOC_CTX *mem_ctx,
 char *keytab_name_from_msg(TALLOC_CTX *mem_ctx, struct ldb_context *ldb, struct ldb_message *msg);
 
 
-#endif /* _SECRETS_H */
+#endif /* _SOURCE4_PARAM_SECRETS_H */


-- 
Samba Shared Repository


More information about the samba-cvs mailing list