auth user/pw for winbind session setups on 2.2
Jim McDonough
jmcd at us.ibm.com
Fri Dec 14 13:56:02 GMT 2001
Jeremy,
I'd like to put the following patch into 2.2. It's taken from head, and it
allows wbinfo to store a user/pw in secrets.tdb that is used on session
setups from winbind, allowing winbind to work with Win2k DC's that have
restrict anonymous set (where NT won't work). Do you mind if I add it?
--- ../orig/source/Makefile.in Fri Dec 14 16:53:49 2001
+++ source/Makefile.in Fri Dec 14 16:40:56 2001
@@ -392,7 +392,8 @@
$(GROUPDB_OBJ) $(PROFILE_OBJ) \
$(NECESSARY_BECAUSE_SAMBA_DEPENDENCIES_ARE_SO_BROKEN_OBJ)
-WBINFO_OBJ = nsswitch/wbinfo.o libsmb/smbencrypt.o libsmb/smbdes.o
+WBINFO_OBJ = nsswitch/wbinfo.o libsmb/smbencrypt.o libsmb/smbdes.o \
+ passdb/secrets.o
WINBIND_NSS_OBJ = nsswitch/winbind_nss.o nsswitch/wb_common.o
diff -u ../orig/source/nsswitch/wbinfo.c source/nsswitch/wbinfo.c
--- ../orig/source/nsswitch/wbinfo.c Fri Dec 14 16:17:42 2001
+++ source/nsswitch/wbinfo.c Fri Dec 14 16:40:28 2001
@@ -420,12 +420,40 @@
return True;
}
+/* Set the authorised user for winbindd access in secrets.tdb */
+
+static BOOL wbinfo_set_auth_user(char *username)
+{
+ char *password;
+
+ /* Separate into user and password */
+
+ password = strchr(username, '%');
+
+ if (password) {
+ *password = 0;
+ password++;
+ } else
+ password = "";
+
+ /* Store in secrets.tdb */
+
+ if (!secrets_init() ||
+ !secrets_store(SECRETS_AUTH_USER, username, strlen(username) + 1) ||
+ !secrets_store(SECRETS_AUTH_PASSWORD, password, strlen(password) + 1)) {
+ fprintf(stderr, "error storing authenticated user info\n");
+ return False;
+ }
+
+ return True;
+}
+
/* Print program usage */
static void usage(void)
{
printf("Usage: wbinfo -ug | -n name | -sSY sid | -UG uid/gid | -tm "
- "| -a user%%password\n");
+ "| -aA user%%password\n");
printf("\t-u\t\t\tlists all domain users\n");
printf("\t-g\t\t\tlists all domain groups\n");
printf("\t-n name\t\t\tconverts name to sid\n");
@@ -438,6 +466,7 @@
printf("\t-m\t\t\tlist trusted domains\n");
printf("\t-r user\t\t\tget user groups\n");
printf("\t-a user%%password\tauthenticate user\n");
+ printf("\t-A user%%password\tstore session setup auth password\n");
}
/* Main program */
@@ -478,7 +507,7 @@
return 1;
}
- while ((opt = getopt(argc, argv, "ugs:n:U:G:S:Y:tmr:a:")) != EOF) {
+ while ((opt = getopt(argc, argv, "ugs:n:U:G:S:Y:tmr:a:A:")) != EOF) {
switch (opt) {
case 'u':
if (!print_domain_users()) {
@@ -571,6 +600,12 @@
break;
}
+ case 'A': {
+ if (!(wbinfo_set_auth_user(optarg))) {
+ return 1;
+ }
+ break;
+ }
/* Invalid option */
default:
diff -u ../orig/source/nsswitch/winbindd.h source/nsswitch/winbindd.h
--- ../orig/source/nsswitch/winbindd.h Fri Dec 14 16:17:42 2001
+++ source/nsswitch/winbindd.h Fri Dec 14 16:40:22 2001
@@ -117,4 +117,9 @@
#define SETENV(name, value, overwrite) ;
#endif
+/* Authenticated user info is stored in secrets.tdb under these keys */
+
+#define SECRETS_AUTH_USER "SECRETS/AUTH_USER"
+#define SECRETS_AUTH_PASSWORD "SECRETS/AUTH_PASSWORD"
+
#endif /* _WINBINDD_H */
diff -u ../orig/source/nsswitch/winbindd_cm.c source/nsswitch/winbindd_cm.c
--- ../orig/source/nsswitch/winbindd_cm.c Thu Nov 29 01:25:14 2001
+++ source/nsswitch/winbindd_cm.c Fri Dec 14 16:40:35 2001
@@ -182,6 +182,35 @@
return True;
}
+/* Choose between anonymous or authenticated connections. We need to use
+ an authenticated connection if DCs have the RestrictAnonymous registry
+ entry set > 0, or the "Additional restrictions for anonymous
+ connections" set in the win2k Local Security Policy. */
+
+void cm_init_creds(struct ntuser_creds *creds)
+{
+ char *username, *password;
+
+ ZERO_STRUCTP(creds);
+
+ creds->pwd.null_pwd = True; /* anonymoose */
+
+ username = secrets_fetch(SECRETS_AUTH_USER, NULL);
+ password = secrets_fetch(SECRETS_AUTH_PASSWORD, NULL);
+
+ if (username && *username) {
+ pwd_set_cleartext(&creds->pwd, password);
+ pwd_make_lm_nt_16(&creds->pwd, password);
+
+ fstrcpy(creds->user_name, username);
+ fstrcpy(creds->domain, lp_workgroup());
+
+ DEBUG(3, ("IPC$ connections done %s\\%s\n", creds->domain,
+ creds->user_name));
+ } else
+ DEBUG(3, ("IPC$ connections done anonymously\n"));
+}
+
/* Open a new smb pipe connection to a DC on a given domain. Cache
negative creation attempts so we don't try and connect to broken
machines too often. */
@@ -257,8 +286,7 @@
make_nmb_name(&called, dns_to_netbios_name(new_conn->controller), 0x20);
make_nmb_name(&calling, dns_to_netbios_name(global_myname), 0);
- ZERO_STRUCT(creds);
- creds.pwd.null_pwd = 1;
+ cm_init_creds(&creds);
cli_init_creds(new_conn->cli, &creds);
----------------------------
Jim McDonough
IBM Linux Technology Center
Samba Team
6 Minuteman Drive
Scarborough, ME 04074
USA
jmcd at us.ibm.com
jmcd at samba.org
Phone: (207) 885-5565
IBM tie-line: 776-9984
More information about the samba-technical
mailing list