summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndrew Tridgell <tridge@samba.org>2001-12-05 09:46:53 +0000
committerAndrew Tridgell <tridge@samba.org>2001-12-05 09:46:53 +0000
commit9421ad4a7a900b219f87754bc20fa14f2f22fd35 (patch)
tree555b136a1ba6bb77e540ab61ec549f44e6426484
parentcc3aff7436e8730efb6511ca18308830cc40cb61 (diff)
downloadsamba-9421ad4a7a900b219f87754bc20fa14f2f22fd35.tar.gz
samba-9421ad4a7a900b219f87754bc20fa14f2f22fd35.tar.bz2
samba-9421ad4a7a900b219f87754bc20fa14f2f22fd35.zip
added a REALLY gross hack into kerberos_kinit_password so that
winbindd can do a kinit this will be removed once we have code that gets a tgt and puts it in a place where cyrus-sasl can see it (This used to be commit 7d94f1b7365215a020d3678d03d820a7d086174f)
-rw-r--r--source3/include/ads.h1
-rw-r--r--source3/libads/ads_struct.c5
-rw-r--r--source3/libads/kerberos.c21
-rw-r--r--source3/libads/ldap.c4
-rw-r--r--source3/nsswitch/winbindd_ads.c2
-rw-r--r--source3/smbd/negprot.c2
-rw-r--r--source3/smbd/sesssetup.c2
-rw-r--r--source3/utils/net_ads.c2
8 files changed, 34 insertions, 5 deletions
diff --git a/source3/include/ads.h b/source3/include/ads.h
index 36351c1c2b..9c5e26f703 100644
--- a/source3/include/ads.h
+++ b/source3/include/ads.h
@@ -12,6 +12,7 @@ typedef struct {
int ldap_port;
char *bind_path;
time_t last_attempt;
+ char *password;
} ADS_STRUCT;
diff --git a/source3/libads/ads_struct.c b/source3/libads/ads_struct.c
index 2d8bf06156..83c8f5b404 100644
--- a/source3/libads/ads_struct.c
+++ b/source3/libads/ads_struct.c
@@ -134,7 +134,8 @@ static char *find_ldap_server(ADS_STRUCT *ads)
*/
ADS_STRUCT *ads_init(const char *realm,
const char *ldap_server,
- const char *bind_path)
+ const char *bind_path,
+ const char *password)
{
ADS_STRUCT *ads;
@@ -145,6 +146,7 @@ ADS_STRUCT *ads_init(const char *realm,
ads->ldap_server = ldap_server? strdup(ldap_server) : NULL;
ads->bind_path = bind_path? strdup(bind_path) : NULL;
ads->ldap_port = LDAP_PORT;
+ if (password) ads->password = strdup(password);
if (!ads->realm) {
ads->realm = strdup(lp_realm());
@@ -181,6 +183,7 @@ void ads_destroy(ADS_STRUCT **ads)
SAFE_FREE((*ads)->ldap_server);
SAFE_FREE((*ads)->kdc_server);
SAFE_FREE((*ads)->bind_path);
+ SAFE_FREE((*ads)->password);
ZERO_STRUCTP(*ads);
SAFE_FREE(*ads);
}
diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
index a3aa8b1661..1b0de382bd 100644
--- a/source3/libads/kerberos.c
+++ b/source3/libads/kerberos.c
@@ -23,6 +23,27 @@
#ifdef HAVE_KRB5
+
+/* VERY nasty hack until we have proper kerberos code for this */
+void kerberos_kinit_password(ADS_STRUCT *ads)
+{
+ char *s;
+ FILE *f;
+ extern pstring global_myname;
+ fstring myname;
+ fstrcpy(myname, global_myname);
+ strlower(myname);
+ asprintf(&s, "kinit 'HOST/%s@%s'", global_myname, ads->realm);
+ DEBUG(0,("HACK!! Running %s\n", s));
+ f = popen(s, "w");
+ if (f) {
+ fprintf(f,"%s\n", ads->password);
+ fflush(f);
+ fclose(f);
+ }
+ free(s);
+}
+
/*
verify an incoming ticket and parse out the principal name and
authorization_data if available
diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c
index 14fd716058..287ea225a1 100644
--- a/source3/libads/ldap.c
+++ b/source3/libads/ldap.c
@@ -70,6 +70,10 @@ int ads_connect(ADS_STRUCT *ads)
}
ldap_set_option(ads->ld, LDAP_OPT_PROTOCOL_VERSION, &version);
+ if (ads->password) {
+ kerberos_kinit_password(ads);
+ }
+
rc = ldap_sasl_interactive_bind_s(ads->ld, NULL, NULL, NULL, NULL,
LDAP_SASL_QUIET,
sasl_interact, NULL);
diff --git a/source3/nsswitch/winbindd_ads.c b/source3/nsswitch/winbindd_ads.c
index 145f2b68d1..edf4d45c38 100644
--- a/source3/nsswitch/winbindd_ads.c
+++ b/source3/nsswitch/winbindd_ads.c
@@ -38,7 +38,7 @@ static ADS_STRUCT *ads_cached_connection(struct winbindd_domain *domain)
return (ADS_STRUCT *)domain->private;
}
- ads = ads_init(NULL, NULL, NULL);
+ ads = ads_init(NULL, NULL, NULL, secrets_fetch_machine_password());
if (!ads) {
DEBUG(1,("ads_init for domain %s failed\n", domain->name));
return NULL;
diff --git a/source3/smbd/negprot.c b/source3/smbd/negprot.c
index 78d4da3a75..b99d239540 100644
--- a/source3/smbd/negprot.c
+++ b/source3/smbd/negprot.c
@@ -186,7 +186,7 @@ static int negprot_spnego(char *p)
#endif
{
ADS_STRUCT *ads;
- ads = ads_init(NULL, NULL, NULL);
+ ads = ads_init(NULL, NULL, NULL, NULL);
/* win2000 uses host$@REALM, which we will probably use eventually,
but for now this works */
diff --git a/source3/smbd/sesssetup.c b/source3/smbd/sesssetup.c
index 35155c0dec..8e7ee38504 100644
--- a/source3/smbd/sesssetup.c
+++ b/source3/smbd/sesssetup.c
@@ -87,7 +87,7 @@ static int reply_spnego_kerberos(connection_struct *conn,
return ERROR_NT(NT_STATUS_LOGON_FAILURE);
}
- ads = ads_init(NULL, NULL, NULL);
+ ads = ads_init(NULL, NULL, NULL, NULL);
ret = ads_verify_ticket(ads, &ticket, &client, &auth_data);
if (!NT_STATUS_IS_OK(ret)) {
diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
index a1ea063b20..c956d9bb65 100644
--- a/source3/utils/net_ads.c
+++ b/source3/utils/net_ads.c
@@ -44,7 +44,7 @@ static ADS_STRUCT *ads_startup(void)
{
ADS_STRUCT *ads;
int rc;
- ads = ads_init(NULL, NULL, NULL);
+ ads = ads_init(NULL, NULL, NULL, NULL);
rc = ads_connect(ads);
if (rc) {