[SCM] Samba Shared Repository - branch v3-2-test updated -
initial-v3-2-unstable-633-g537b126
Michael Adam
ma at sernet.de
Thu Dec 13 09:27:55 GMT 2007
Grrrr. Now I shot myself into the leg with git!
Actually I wanted to push only the first patch.
I also had reordered my tree first to have it before
all the other commits. I seem to have forgotten
git rebase --continue after the reordering...
Actually that last commit (537b12647e25adcb7d) was meant
to be pushed before the last commit (dd320c0924ce393a8)
as it is a preparation. So expect all intermediate builds
to be broken.
Sorry for that!
All the intermediate commits reflect my recent efforts
to get the trusted domain code (especially when trusted
domain is w2k3) right. I wanted to push them anyways, but
inteded to give them more testing first.
Sorry again for this disorder!
Cheers, Michael
Michael Adam wrote:
> The branch, v3-2-test has been updated
> via 537b12647e25adcb7da3581f18d2e9feca1caf0c (commit)
> via e180bbd45452435e981192028a0ad90078c04236 (commit)
> via 481f18b20d6d5ee12c62120a3559bb16cc98e465 (commit)
> via 18c66a364e0ddc4960769871ca190944f7fe5c44 (commit)
> via e77c4022cfbb868e608edcb06b676658b0e201ad (commit)
> via b2e12365b56f24586a7dfcb845f4de51f0b0e7d5 (commit)
> via 0cde7ac9cb39a0026a38ccf66dbecefc12931074 (commit)
> via 4562342eb84e6fdcec15d8b7ae83aa146aabe2b7 (commit)
> via 91da12b751b3168dc40049f3e90c10d840393efc (commit)
> via 6ced4a7f88798dc449a667d63bc29bf6c569291f (commit)
> via cdc60d8ae8c0ef804206b20b451e9557f97d4439 (commit)
> via 164bfb25d7b5cfeffeb4d81958b7629a11ca5d5e (commit)
> via 4788fe392427901f6b1c505e3a743136ac8a91ca (commit)
> from dd320c0924ce393a89b1cab020fd5cffc5b80380 (commit)
>
> http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-2-test
>
>
> - Log -----------------------------------------------------------------
> commit 537b12647e25adcb7da3581f18d2e9feca1caf0c
> Author: Michael Adam <obnox at samba.org>
> Date: Wed Nov 28 02:15:37 2007 +0100
>
> Add flags for correctly implementing lsa_lookup_name levels.
>
> (Prepare fix for Bug #4801.)
>
> Michael
>
> commit e180bbd45452435e981192028a0ad90078c04236
> Author: Michael Adam <obnox at samba.org>
> Date: Tue Dec 11 16:34:39 2007 +0100
>
> Make cm_connect_sam() try harder to connect autheticated.
>
> Even if the session setup was anonymous, try and collect
> trust creds with get_trust_creds() and use these before
> falling back to schannel.
>
> This is the first attempt to fix interdomain trusts.
> (get password policy and stuff)
>
> Michael
>
> commit 481f18b20d6d5ee12c62120a3559bb16cc98e465
> Author: Michael Adam <obnox at samba.org>
> Date: Tue Dec 11 16:32:38 2007 +0100
>
> Refactor out assembling of trust creds (pw, account name, principal).
>
> Michael
>
> commit 18c66a364e0ddc4960769871ca190944f7fe5c44
> Author: Michael Adam <obnox at samba.org>
> Date: Tue Dec 11 15:39:36 2007 +0100
>
> Streamline and fix logic of cm_prepare_connection().
>
> Do not attempt to do a session setup when in a trusted domain
> situation (this gives STATUS_NOLOGON_TRUSTED_DOMAIN_ACCOUNT).
>
> Use get_trust_pw_clear to get machine trust account.
> Only call this when the results is really used.
> Use the proper domain and account name for session setup.
>
> Michael
>
> commit e77c4022cfbb868e608edcb06b676658b0e201ad
> Author: Michael Adam <obnox at samba.org>
> Date: Tue Dec 11 14:36:11 2007 +0100
>
> Refactoring out get_schannel_session_key logic.
>
> Refactor the actual retrieval of the session key through the
> established netlogon pipe out of get_schannel_session_key()
> and get_schannel_session_key_auth_ntlmssp() into a new
> function get_schannel_session_key_common().
> (To avoid code duplication.)
>
> Michael
>
> commit b2e12365b56f24586a7dfcb845f4de51f0b0e7d5
> Author: Michael Adam <obnox at samba.org>
> Date: Tue Dec 11 14:12:49 2007 +0100
>
> Pass NULL instead of unneeded &sid: pdb_get_trusteddom_pw() checks.
>
> Michael
>
> commit 0cde7ac9cb39a0026a38ccf66dbecefc12931074
> Author: Michael Adam <obnox at samba.org>
> Date: Tue Dec 11 14:07:32 2007 +0100
>
> Rename get_trust_pw() to get_trust_pw_hash().
>
> Michael
>
> commit 4562342eb84e6fdcec15d8b7ae83aa146aabe2b7
> Author: Michael Adam <obnox at samba.org>
> Date: Tue Dec 11 13:59:54 2007 +0100
>
> Export logic of get_trust_pw() to new function get_trust_pw_clear().
>
> get_trust_pw() just now computes the md4 hash of the result of
> get_trust_pw_clear() if that was successful. As a last resort,
> in the non-trusted-domain-situation, get_trust_pw() now tries to
> directly obtain the hashed version of the password out of secrets.tdb.
>
> Michael
>
> commit 91da12b751b3168dc40049f3e90c10d840393efc
> Author: Michael Adam <obnox at samba.org>
> Date: Tue Dec 11 14:02:45 2007 +0100
>
> Refactor the lagacy part of secrets_fetch_trust_account_password() out
>
> into a new function secrets_fetch_trust_account_password_legacy() that
> does only try to obtain the hashed version of the machine password directly
> from secrets.tdb.
>
> Michael
>
> commit 6ced4a7f88798dc449a667d63bc29bf6c569291f
> Author: Michael Adam <obnox at samba.org>
> Date: Tue Dec 11 13:05:44 2007 +0100
>
> Let get_trust_pw() determine the machine_account_name to use.
>
> Up to now each caller used its own logic.
>
> This eliminates code paths where there was a special treatment
> of the following situation: the domain given is not our workgroup
> (i.e. our own domain) and we are not a DC (i.e. it is not a typical
> trusted domain situation). In situation the given domain name was
> previously used as the machine account name, resulting in an account
> name of DOMAIN\\DOMAIN$, which does not seem very reasonable to me.
> get_trust_pw would not have obtained a password in this situation
> anyways.
>
> I hope I have not missed an important point here!
>
> Michael
>
> commit cdc60d8ae8c0ef804206b20b451e9557f97d4439
> Author: Michael Adam <obnox at samba.org>
> Date: Tue Dec 11 12:47:28 2007 +0100
>
> Streamline logic in cm_connect_netlogon()
>
> by retrieving trust password only, when it will be used.
>
> Michael
>
> commit 164bfb25d7b5cfeffeb4d81958b7629a11ca5d5e
> Author: Michael Adam <obnox at samba.org>
> Date: Tue Dec 11 08:52:20 2007 +0100
>
> In cm_prepare_connection(), only get auth user creds if we need to.
>
> Michael
>
> commit 4788fe392427901f6b1c505e3a743136ac8a91ca
> Author: Michael Adam <obnox at samba.org>
> Date: Mon Dec 10 23:53:55 2007 +0100
>
> Remove two unneeded functions.
>
> secrets_store_trust_account_password() and trust_password_delete()
> are the write access functions to the SECRETS/$MACHINE.ACC/domain keys
> in secrets.tdb, the md4 hashed machine passwords. These are not used
> any more: Current code always writes the clear text password.
>
> Michael
>
> -----------------------------------------------------------------------
>
> Summary of changes:
> source/auth/auth_domain.c | 7 ++-
> source/include/smb.h | 10 +++-
> source/passdb/passdb.c | 85 +++++++++++++++++++-----
> source/passdb/secrets.c | 67 +++++++++----------
> source/rpc_client/cli_pipe.c | 126 ++++++++++++-----------------------
> source/winbindd/winbindd_cm.c | 145 +++++++++++++++++++++++++----------------
> 6 files changed, 248 insertions(+), 192 deletions(-)
>
>
> Changeset truncated at 500 lines:
>
> diff --git a/source/auth/auth_domain.c b/source/auth/auth_domain.c
> index 7cddabb..b2c8717 100644
> --- a/source/auth/auth_domain.c
> +++ b/source/auth/auth_domain.c
> @@ -127,8 +127,11 @@ machine %s. Error was : %s.\n", dc_name, nt_errstr(result)));
> uint32 neg_flags = NETLOGON_NEG_AUTH2_FLAGS;
> uint32 sec_chan_type = 0;
> unsigned char machine_pwd[16];
> + const char *account_name;
>
> - if (!get_trust_pw(domain, machine_pwd, &sec_chan_type)) {
> + if (!get_trust_pw_hash(domain, machine_pwd, &account_name,
> + &sec_chan_type))
> + {
> DEBUG(0, ("connect_to_domain_password_server: could not fetch "
> "trust account password for domain '%s'\n",
> domain));
> @@ -142,7 +145,7 @@ machine %s. Error was : %s.\n", dc_name, nt_errstr(result)));
> dc_name, /* server name */
> domain, /* domain */
> global_myname(), /* client name */
> - global_myname(), /* machine account name */
> + account_name, /* machine account name */
> machine_pwd,
> sec_chan_type,
> &neg_flags);
> diff --git a/source/include/smb.h b/source/include/smb.h
> index d58c124..a725ae1 100644
> --- a/source/include/smb.h
> +++ b/source/include/smb.h
> @@ -242,6 +242,7 @@ typedef uint64_t NTTIME;
>
> #define SID_MAX_SIZE ((size_t)(8+(MAXSUBAUTHS*4)))
>
> +#define LOOKUP_NAME_NONE 0x00000000
> #define LOOKUP_NAME_ISOLATED 0x00000001 /* Look up unqualified names */
> #define LOOKUP_NAME_REMOTE 0x00000002 /* Ask others */
> #define LOOKUP_NAME_GROUP 0x00000004 /* (unused) This is a NASTY hack for
> @@ -250,7 +251,14 @@ typedef uint64_t NTTIME;
> #define LOOKUP_NAME_EXPLICIT 0x00000008 /* Only include
> explicitly mapped names and not
> the Unix {User,Group} domain */
> -#define LOOKUP_NAME_ALL (LOOKUP_NAME_ISOLATED|LOOKUP_NAME_REMOTE)
> +#define LOOKUP_NAME_BUILTIN 0x00000010 /* builtin names */
> +#define LOOKUP_NAME_WKN 0x00000020 /* well known names */
> +#define LOOKUP_NAME_DOMAIN 0x00000040 /* only lookup own domain */
> +#define LOOKUP_NAME_ALL (LOOKUP_NAME_ISOLATED\
> + |LOOKUP_NAME_REMOTE\
> + |LOOKUP_NAME_BUILTIN\
> + |LOOKUP_NAME_WKN\
> + |LOOKUP_NAME_DOMAIN)
>
> /**
> * @brief Security Identifier
> diff --git a/source/passdb/passdb.c b/source/passdb/passdb.c
> index 2a4d4c4..c4248bb 100644
> --- a/source/passdb/passdb.c
> +++ b/source/passdb/passdb.c
> @@ -1521,46 +1521,99 @@ bool pdb_increment_bad_password_count(struct samu *sampass)
> return True;
> }
>
> +bool is_trusted_domain_situation(const char *domain_name)
> +{
> + return IS_DC &&
> + lp_allow_trusted_domains() &&
> + !strequal(domain_name, lp_workgroup());
> +}
>
> /*******************************************************************
> - Wrapper around retrieving the trust account password
> + Wrapper around retrieving the clear text trust account password.
> + appropriate account name is stored in account_name.
> + Caller must free password, but not account_name.
> *******************************************************************/
>
> -bool get_trust_pw(const char *domain, uint8 ret_pwd[16], uint32 *channel)
> +bool get_trust_pw_clear(const char *domain, char **ret_pwd,
> + const char **account_name, uint32 *channel)
> {
> - DOM_SID sid;
> char *pwd;
> time_t last_set_time;
>
> /* if we are a DC and this is not our domain, then lookup an account
> - for the domain trust */
> + * for the domain trust */
>
> - if (IS_DC && !strequal(domain, lp_workgroup()) &&
> - lp_allow_trusted_domains())
> - {
> - if (!pdb_get_trusteddom_pw(domain, &pwd, &sid, &last_set_time))
> + if (is_trusted_domain_situation(domain)) {
> + if (!pdb_get_trusteddom_pw(domain, ret_pwd, NULL,
> + &last_set_time))
> {
> DEBUG(0, ("get_trust_pw: could not fetch trust "
> "account password for trusted domain %s\n",
> domain));
> - return False;
> + return false;
> }
>
> *channel = SEC_CHAN_DOMAIN;
> - E_md4hash(pwd, ret_pwd);
> - SAFE_FREE(pwd);
>
> - return True;
> + if (account_name != NULL) {
> + *account_name = lp_workgroup();
> + }
> +
> + return true;
> }
>
> /* Just get the account for the requested domain. In the future this
> * might also cover to be member of more than one domain. */
>
> - if (secrets_fetch_trust_account_password(domain, ret_pwd,
> - &last_set_time, channel))
> - return True;
> + pwd = secrets_fetch_machine_password(domain, &last_set_time, channel);
> +
> + if (pwd != NULL) {
> + *ret_pwd = pwd;
> + if (account_name != NULL) {
> + *account_name = global_myname();
> + }
> +
> + return true;
> + }
> +
> + DEBUG(5, ("get_trust_pw_clear: could not fetch clear text trust "
> + "account password for domain %s\n", domain));
> + return false;
> +}
> +
> +/*******************************************************************
> + Wrapper around retrieving the trust account password.
> + appropriate account name is stored in account_name.
> +*******************************************************************/
> +
> +bool get_trust_pw_hash(const char *domain, uint8 ret_pwd[16],
> + const char **account_name, uint32 *channel)
> +{
> + char *pwd = NULL;
> + time_t last_set_time;
> +
> + if (get_trust_pw_clear(domain, &pwd, account_name, channel)) {
> + E_md4hash(pwd, ret_pwd);
> + SAFE_FREE(pwd);
> + return true;
> + } else if (is_trusted_domain_situation(domain)) {
> + return false;
> + }
> +
> + /* as a fallback, try to get the hashed pwd directly from the tdb... */
> +
> + if (secrets_fetch_trust_account_password_legacy(domain, ret_pwd,
> + &last_set_time,
> + channel))
> + {
> + if (account_name != NULL) {
> + *account_name = global_myname();
> + }
> +
> + return true;
> + }
>
> - DEBUG(5, ("get_trust_pw: could not fetch trust account "
> + DEBUG(5, ("get_trust_pw_hash: could not fetch trust account "
> "password for domain %s\n", domain));
> return False;
> }
> diff --git a/source/passdb/secrets.c b/source/passdb/secrets.c
> index a4cb766..fde7fc0 100644
> --- a/source/passdb/secrets.c
> +++ b/source/passdb/secrets.c
> @@ -284,27 +284,19 @@ uint32 get_default_sec_channel(void)
>
> /************************************************************************
> Routine to get the trust account password for a domain.
> + This only tries to get the legacy hashed version of the password.
> The user of this function must have locked the trust password file using
> the above secrets_lock_trust_account_password().
> ************************************************************************/
>
> -bool secrets_fetch_trust_account_password(const char *domain, uint8 ret_pwd[16],
> - time_t *pass_last_set_time,
> - uint32 *channel)
> +bool secrets_fetch_trust_account_password_legacy(const char *domain,
> + uint8 ret_pwd[16],
> + time_t *pass_last_set_time,
> + uint32 *channel)
> {
> struct machine_acct_pass *pass;
> - char *plaintext;
> size_t size = 0;
>
> - plaintext = secrets_fetch_machine_password(domain, pass_last_set_time,
> - channel);
> - if (plaintext) {
> - DEBUG(4,("Using cleartext machine password\n"));
> - E_md4hash(plaintext, ret_pwd);
> - SAFE_FREE(plaintext);
> - return True;
> - }
> -
> if (!(pass = (struct machine_acct_pass *)secrets_fetch(
> trust_keystr(domain), &size))) {
> DEBUG(5, ("secrets_fetch failed!\n"));
> @@ -337,6 +329,32 @@ bool secrets_fetch_trust_account_password(const char *domain, uint8 ret_pwd[16],
> return True;
> }
>
> +/************************************************************************
> + Routine to get the trust account password for a domain.
> + The user of this function must have locked the trust password file using
> + the above secrets_lock_trust_account_password().
> +************************************************************************/
> +
> +bool secrets_fetch_trust_account_password(const char *domain, uint8 ret_pwd[16],
> + time_t *pass_last_set_time,
> + uint32 *channel)
> +{
> + char *plaintext;
> +
> + plaintext = secrets_fetch_machine_password(domain, pass_last_set_time,
> + channel);
> + if (plaintext) {
> + DEBUG(4,("Using cleartext machine password\n"));
> + E_md4hash(plaintext, ret_pwd);
> + SAFE_FREE(plaintext);
> + return True;
> + }
> +
> + return secrets_fetch_trust_account_password_legacy(domain, ret_pwd,
> + pass_last_set_time,
> + channel);
> +}
> +
> /**
> * Pack SID passed by pointer
> *
> @@ -558,20 +576,6 @@ bool secrets_fetch_trusted_domain_password(const char *domain, char** pwd,
> return True;
> }
>
> -/************************************************************************
> - Routine to set the trust account password for a domain.
> -************************************************************************/
> -
> -bool secrets_store_trust_account_password(const char *domain, uint8 new_pwd[16])
> -{
> - struct machine_acct_pass pass;
> -
> - pass.mod_time = time(NULL);
> - memcpy(pass.hash, new_pwd, 16);
> -
> - return secrets_store(trust_keystr(domain), (void *)&pass, sizeof(pass));
> -}
> -
> /**
> * Routine to store the password for trusted domain
> *
> @@ -722,15 +726,6 @@ char *secrets_fetch_machine_password(const char *domain,
> }
>
> /************************************************************************
> - Routine to delete the machine trust account password file for a domain.
> -************************************************************************/
> -
> -bool trust_password_delete(const char *domain)
> -{
> - return secrets_delete(trust_keystr(domain));
> -}
> -
> -/************************************************************************
> Routine to delete the password for trusted domain
> ************************************************************************/
>
> diff --git a/source/rpc_client/cli_pipe.c b/source/rpc_client/cli_pipe.c
> index 37558a7..f61ea95 100644
> --- a/source/rpc_client/cli_pipe.c
> +++ b/source/rpc_client/cli_pipe.c
> @@ -2424,49 +2424,29 @@ struct rpc_pipe_client *cli_rpc_pipe_open_spnego_ntlmssp(struct cli_state *cli,
> }
>
> /****************************************************************************
> - Open a netlogon pipe and get the schannel session key.
> - Now exposed to external callers.
> + Get a the schannel session key out of an already opened netlogon pipe.
> ****************************************************************************/
> -
> -struct rpc_pipe_client *get_schannel_session_key(struct cli_state *cli,
> - const char *domain,
> - uint32 *pneg_flags,
> - NTSTATUS *perr)
> +static bool get_schannel_session_key_common(struct rpc_pipe_client *netlogon_pipe,
> + struct cli_state *cli,
> + const char *domain,
> + uint32 *pneg_flags,
> + NTSTATUS *perr)
> {
> - struct rpc_pipe_client *netlogon_pipe = NULL;
> uint32 sec_chan_type = 0;
> unsigned char machine_pwd[16];
> - fstring machine_account;
> -
> - netlogon_pipe = cli_rpc_pipe_open_noauth(cli, PI_NETLOGON, perr);
> - if (!netlogon_pipe) {
> - return NULL;
> - }
> + const char *machine_account;
>
> /* Get the machine account credentials from secrets.tdb. */
> - if (!get_trust_pw(domain, machine_pwd, &sec_chan_type)) {
> + if (!get_trust_pw_hash(domain, machine_pwd, &machine_account,
> + &sec_chan_type))
> + {
> DEBUG(0, ("get_schannel_session_key: could not fetch "
> "trust account password for domain '%s'\n",
> domain));
> - cli_rpc_pipe_close(netlogon_pipe);
> *perr = NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
> - return NULL;
> + return false;
> }
>
> - /* A DC should use DOMAIN$ as its account name.
> - A member server can only use it's machine name since it
> - does not have an account in a trusted domain.
> -
> - We don't check the domain against lp_workgroup() here since
> - 'net ads join' has to continue to work with only the realm
> - specified in smb.conf. -- jerry */
> -
> - if ( IS_DC && !strequal(domain, lp_workgroup()) && lp_allow_trusted_domains()) {
> - fstrcpy( machine_account, lp_workgroup() );
> - } else {
> - fstrcpy(machine_account, global_myname());
> - }
> -
> *perr = rpccli_netlogon_setup_creds(netlogon_pipe,
> cli->desthost, /* server name */
> domain, /* domain */
> @@ -2477,11 +2457,10 @@ struct rpc_pipe_client *get_schannel_session_key(struct cli_state *cli,
> pneg_flags);
>
> if (!NT_STATUS_IS_OK(*perr)) {
> - DEBUG(3,("get_schannel_session_key: rpccli_netlogon_setup_creds "
> + DEBUG(3,("get_schannel_session_key_common: rpccli_netlogon_setup_creds "
> "failed with result %s to server %s, domain %s, machine account %s.\n",
> nt_errstr(*perr), cli->desthost, domain, machine_account ));
> - cli_rpc_pipe_close(netlogon_pipe);
> - return NULL;
> + return false;
> }
>
> if (((*pneg_flags) & NETLOGON_NEG_SCHANNEL) == 0) {
> @@ -2489,6 +2468,34 @@ struct rpc_pipe_client *get_schannel_session_key(struct cli_state *cli,
> cli->desthost));
> cli_rpc_pipe_close(netlogon_pipe);
> *perr = NT_STATUS_INVALID_NETWORK_RESPONSE;
> + return false;
> + }
> +
> + return true;
> +}
> +
> +/****************************************************************************
> + Open a netlogon pipe and get the schannel session key.
> + Now exposed to external callers.
> + ****************************************************************************/
> +
> +
> +struct rpc_pipe_client *get_schannel_session_key(struct cli_state *cli,
> + const char *domain,
> + uint32 *pneg_flags,
> + NTSTATUS *perr)
> +{
> + struct rpc_pipe_client *netlogon_pipe = NULL;
> +
> + netlogon_pipe = cli_rpc_pipe_open_noauth(cli, PI_NETLOGON, perr);
> + if (!netlogon_pipe) {
> + return NULL;
> + }
> +
> + if (!get_schannel_session_key_common(netlogon_pipe, cli, domain,
> + pneg_flags, perr))
> + {
> + cli_rpc_pipe_close(netlogon_pipe);
> return NULL;
> }
>
> @@ -2560,61 +2567,16 @@ static struct rpc_pipe_client *get_schannel_session_key_auth_ntlmssp(struct cli_
> NTSTATUS *perr)
> {
> struct rpc_pipe_client *netlogon_pipe = NULL;
> - uint32 sec_chan_type = 0;
> - unsigned char machine_pwd[16];
> - fstring machine_account;
>
> netlogon_pipe = cli_rpc_pipe_open_spnego_ntlmssp(cli, PI_NETLOGON, PIPE_AUTH_LEVEL_PRIVACY, domain, username, password, perr);
> if (!netlogon_pipe) {
> return NULL;
> }
>
> - /* Get the machine account credentials from secrets.tdb. */
> - if (!get_trust_pw(domain, machine_pwd, &sec_chan_type)) {
> - DEBUG(0, ("get_schannel_session_key_auth_ntlmssp: could not fetch "
> - "trust account password for domain '%s'\n",
> - domain));
> - cli_rpc_pipe_close(netlogon_pipe);
> - *perr = NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
> - return NULL;
> - }
> -
> - /* if we are a DC and this is a trusted domain, then we need to use our
> - domain name in the net_req_auth2() request */
> -
> - if ( IS_DC && !strequal(domain, lp_workgroup()) && lp_allow_trusted_domains()) {
> - fstrcpy( machine_account, lp_workgroup() );
> - } else {
> - /* Hmmm. Is this correct for trusted domains when we're a member server ? JRA. */
> - if (strequal(domain, lp_workgroup())) {
> - fstrcpy(machine_account, global_myname());
> - } else {
> - fstrcpy(machine_account, domain);
> - }
> - }
> -
> - *perr = rpccli_netlogon_setup_creds(netlogon_pipe,
> - cli->desthost, /* server name */
> - domain, /* domain */
> - global_myname(), /* client name */
> - machine_account, /* machine account name */
> - machine_pwd,
> - sec_chan_type,
> - pneg_flags);
> -
> - if (!NT_STATUS_IS_OK(*perr)) {
> - DEBUG(3,("get_schannel_session_key_auth_ntlmssp: rpccli_netlogon_setup_creds "
> - "failed with result %s\n",
> - nt_errstr(*perr) ));
> - cli_rpc_pipe_close(netlogon_pipe);
> - return NULL;
> - }
> -
> - if (((*pneg_flags) & NETLOGON_NEG_SCHANNEL) == 0) {
> - DEBUG(3, ("get_schannel_session_key_auth_ntlmssp: Server %s did not offer schannel\n",
> - cli->desthost));
> + if (!get_schannel_session_key_common(netlogon_pipe, cli, domain,
> + pneg_flags, perr))
> + {
> cli_rpc_pipe_close(netlogon_pipe);
> - *perr = NT_STATUS_INVALID_NETWORK_RESPONSE;
> return NULL;
> }
>
> diff --git a/source/winbindd/winbindd_cm.c b/source/winbindd/winbindd_cm.c
> index 3f65449..cb366a2 100644
> --- a/source/winbindd/winbindd_cm.c
> +++ b/source/winbindd/winbindd_cm.c
> @@ -635,6 +635,40 @@ static bool get_dc_name_via_netlogon(const struct winbindd_domain *domain,
> return True;
> }
>
> +/**
> + * Helper function to assemble trust password and account name
> + */
> +static NTSTATUS get_trust_creds(const struct winbindd_domain *domain,
> + char **machine_password,
> + char **machine_account,
> + char **machine_krb5_principal)
> +{
> + const char *account_name;
> +
> + if (!get_trust_pw_clear(domain->name, machine_password,
> + &account_name, NULL))
> + {
> + return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
> + }
> +
> + if ((machine_account != NULL) &&
> + (asprintf(machine_account, "%s$", account_name) == -1))
> + {
> + return NT_STATUS_NO_MEMORY;
> + }
> +
> + /* this is at least correct when domain is our domain,
> + * which is the only case, when this is currently used: */
> + if ((machine_krb5_principal != NULL) &&
> + (asprintf(machine_krb5_principal, "%s$@%s", account_name,
> + domain->alt_name) == -1))
> + {
> + return NT_STATUS_NO_MEMORY;
> + }
> +
> + return NT_STATUS_OK;
>
>
> --
> Samba Shared Repository
--
i.A. Michael Adam
--
Michael Adam <ma at sernet.de>
SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
http://www.SerNet.DE, mailto: Info @ SerNet.DE
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 206 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-technical/attachments/20071213/76b4c3dd/attachment.bin
More information about the samba-technical
mailing list