auth user/pw for winbind session setups on 2.2

Jim McDonough jmcd at us.ibm.com
Fri Dec 14 13:56:02 GMT 2001 

Jeremy,
I'd like to put the following patch into 2.2.  It's taken from head, and it
allows wbinfo to store a user/pw in secrets.tdb that is used on session
setups from winbind, allowing winbind to work with Win2k DC's that have
restrict anonymous set (where NT won't work).  Do you mind if I add it?

--- ../orig/source/Makefile.in      Fri Dec 14 16:53:49 2001
+++ source/Makefile.in  Fri Dec 14 16:40:56 2001
@@ -392,7 +392,8 @@
            $(GROUPDB_OBJ) $(PROFILE_OBJ) \
            $(NECESSARY_BECAUSE_SAMBA_DEPENDENCIES_ARE_SO_BROKEN_OBJ)

-WBINFO_OBJ = nsswitch/wbinfo.o libsmb/smbencrypt.o libsmb/smbdes.o
+WBINFO_OBJ = nsswitch/wbinfo.o libsmb/smbencrypt.o libsmb/smbdes.o \
+     passdb/secrets.o

 WINBIND_NSS_OBJ = nsswitch/winbind_nss.o nsswitch/wb_common.o

diff -u ../orig/source/nsswitch/wbinfo.c source/nsswitch/wbinfo.c
--- ../orig/source/nsswitch/wbinfo.c      Fri Dec 14 16:17:42 2001
+++ source/nsswitch/wbinfo.c  Fri Dec 14 16:40:28 2001
@@ -420,12 +420,40 @@
      return True;
 }

+/* Set the authorised user for winbindd access in secrets.tdb */
+
+static BOOL wbinfo_set_auth_user(char *username)
+{
+     char *password;
+
+     /* Separate into user and password */
+
+     password = strchr(username, '%');
+
+     if (password) {
+           *password = 0;
+           password++;
+     } else
+           password = "";
+
+     /* Store in secrets.tdb */
+
+     if (!secrets_init() ||
+         !secrets_store(SECRETS_AUTH_USER, username, strlen(username) + 1) ||
+         !secrets_store(SECRETS_AUTH_PASSWORD, password, strlen(password) + 1)) {
+           fprintf(stderr, "error storing authenticated user info\n");
+           return False;
+     }
+
+     return True;
+}
+
 /* Print program usage */

 static void usage(void)
 {
      printf("Usage: wbinfo -ug | -n name | -sSY sid | -UG uid/gid | -tm "
-               "| -a user%%password\n");
+               "| -aA user%%password\n");
      printf("\t-u\t\t\tlists all domain users\n");
      printf("\t-g\t\t\tlists all domain groups\n");
      printf("\t-n name\t\t\tconverts name to sid\n");
@@ -438,6 +466,7 @@
      printf("\t-m\t\t\tlist trusted domains\n");
      printf("\t-r user\t\t\tget user groups\n");
      printf("\t-a user%%password\tauthenticate user\n");
+     printf("\t-A user%%password\tstore session setup auth password\n");
 }

 /* Main program */
@@ -478,7 +507,7 @@
            return 1;
      }

-     while ((opt = getopt(argc, argv, "ugs:n:U:G:S:Y:tmr:a:")) != EOF) {
+     while ((opt = getopt(argc, argv, "ugs:n:U:G:S:Y:tmr:a:A:")) != EOF) {
            switch (opt) {
            case 'u':
                  if (!print_domain_users()) {
@@ -571,6 +600,12 @@
                         break;

                 }
+           case 'A': {
+                 if (!(wbinfo_set_auth_user(optarg))) {
+                       return 1;
+                 }
+                 break;
+           }
                       /* Invalid option */

            default:
diff -u ../orig/source/nsswitch/winbindd.h source/nsswitch/winbindd.h
--- ../orig/source/nsswitch/winbindd.h    Fri Dec 14 16:17:42 2001
+++ source/nsswitch/winbindd.h      Fri Dec 14 16:40:22 2001
@@ -117,4 +117,9 @@
 #define SETENV(name, value, overwrite) ;
 #endif

+/* Authenticated user info is stored in secrets.tdb under these keys */
+
+#define SECRETS_AUTH_USER      "SECRETS/AUTH_USER"
+#define SECRETS_AUTH_PASSWORD  "SECRETS/AUTH_PASSWORD"
+
 #endif /* _WINBINDD_H */
diff -u ../orig/source/nsswitch/winbindd_cm.c source/nsswitch/winbindd_cm.c
--- ../orig/source/nsswitch/winbindd_cm.c Thu Nov 29 01:25:14 2001
+++ source/nsswitch/winbindd_cm.c   Fri Dec 14 16:40:35 2001
@@ -182,6 +182,35 @@
      return True;
 }

+/* Choose between anonymous or authenticated connections.  We need to use
+   an authenticated connection if DCs have the RestrictAnonymous registry
+   entry set > 0, or the "Additional restrictions for anonymous
+   connections" set in the win2k Local Security Policy. */
+
+void cm_init_creds(struct ntuser_creds *creds)
+{
+     char *username, *password;
+
+     ZERO_STRUCTP(creds);
+
+     creds->pwd.null_pwd = True; /* anonymoose */
+
+     username = secrets_fetch(SECRETS_AUTH_USER, NULL);
+     password = secrets_fetch(SECRETS_AUTH_PASSWORD, NULL);
+
+     if (username && *username) {
+           pwd_set_cleartext(&creds->pwd, password);
+           pwd_make_lm_nt_16(&creds->pwd, password);
+
+           fstrcpy(creds->user_name, username);
+           fstrcpy(creds->domain, lp_workgroup());
+
+           DEBUG(3, ("IPC$ connections done %s\\%s\n", creds->domain,
+                   creds->user_name));
+     } else
+           DEBUG(3, ("IPC$ connections done anonymously\n"));
+}
+
 /* Open a new smb pipe connection to a DC on a given domain.  Cache
    negative creation attempts so we don't try and connect to broken
    machines too often. */
@@ -257,8 +286,7 @@
      make_nmb_name(&called, dns_to_netbios_name(new_conn->controller), 0x20);
      make_nmb_name(&calling, dns_to_netbios_name(global_myname), 0);

-     ZERO_STRUCT(creds);
-     creds.pwd.null_pwd = 1;
+     cm_init_creds(&creds);

      cli_init_creds(new_conn->cli, &creds);


----------------------------
Jim McDonough
IBM Linux Technology Center
Samba Team
6 Minuteman Drive
Scarborough, ME 04074
USA

jmcd at us.ibm.com
jmcd at samba.org

Phone: (207) 885-5565
IBM tie-line: 776-9984

More information about the samba-technical mailing list