diff options
author | Andrew Tridgell <tridge@samba.org> | 2001-12-05 09:46:53 +0000 |
---|---|---|
committer | Andrew Tridgell <tridge@samba.org> | 2001-12-05 09:46:53 +0000 |
commit | 9421ad4a7a900b219f87754bc20fa14f2f22fd35 (patch) | |
tree | 555b136a1ba6bb77e540ab61ec549f44e6426484 | |
parent | cc3aff7436e8730efb6511ca18308830cc40cb61 (diff) | |
download | samba-9421ad4a7a900b219f87754bc20fa14f2f22fd35.tar.gz samba-9421ad4a7a900b219f87754bc20fa14f2f22fd35.tar.bz2 samba-9421ad4a7a900b219f87754bc20fa14f2f22fd35.zip |
added a REALLY gross hack into kerberos_kinit_password so that
winbindd can do a kinit
this will be removed once we have code that gets a tgt
and puts it in a place where cyrus-sasl can see it
(This used to be commit 7d94f1b7365215a020d3678d03d820a7d086174f)
-rw-r--r-- | source3/include/ads.h | 1 | ||||
-rw-r--r-- | source3/libads/ads_struct.c | 5 | ||||
-rw-r--r-- | source3/libads/kerberos.c | 21 | ||||
-rw-r--r-- | source3/libads/ldap.c | 4 | ||||
-rw-r--r-- | source3/nsswitch/winbindd_ads.c | 2 | ||||
-rw-r--r-- | source3/smbd/negprot.c | 2 | ||||
-rw-r--r-- | source3/smbd/sesssetup.c | 2 | ||||
-rw-r--r-- | source3/utils/net_ads.c | 2 |
8 files changed, 34 insertions, 5 deletions
diff --git a/source3/include/ads.h b/source3/include/ads.h index 36351c1c2b..9c5e26f703 100644 --- a/source3/include/ads.h +++ b/source3/include/ads.h @@ -12,6 +12,7 @@ typedef struct { int ldap_port; char *bind_path; time_t last_attempt; + char *password; } ADS_STRUCT; diff --git a/source3/libads/ads_struct.c b/source3/libads/ads_struct.c index 2d8bf06156..83c8f5b404 100644 --- a/source3/libads/ads_struct.c +++ b/source3/libads/ads_struct.c @@ -134,7 +134,8 @@ static char *find_ldap_server(ADS_STRUCT *ads) */ ADS_STRUCT *ads_init(const char *realm, const char *ldap_server, - const char *bind_path) + const char *bind_path, + const char *password) { ADS_STRUCT *ads; @@ -145,6 +146,7 @@ ADS_STRUCT *ads_init(const char *realm, ads->ldap_server = ldap_server? strdup(ldap_server) : NULL; ads->bind_path = bind_path? strdup(bind_path) : NULL; ads->ldap_port = LDAP_PORT; + if (password) ads->password = strdup(password); if (!ads->realm) { ads->realm = strdup(lp_realm()); @@ -181,6 +183,7 @@ void ads_destroy(ADS_STRUCT **ads) SAFE_FREE((*ads)->ldap_server); SAFE_FREE((*ads)->kdc_server); SAFE_FREE((*ads)->bind_path); + SAFE_FREE((*ads)->password); ZERO_STRUCTP(*ads); SAFE_FREE(*ads); } diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c index a3aa8b1661..1b0de382bd 100644 --- a/source3/libads/kerberos.c +++ b/source3/libads/kerberos.c @@ -23,6 +23,27 @@ #ifdef HAVE_KRB5 + +/* VERY nasty hack until we have proper kerberos code for this */ +void kerberos_kinit_password(ADS_STRUCT *ads) +{ + char *s; + FILE *f; + extern pstring global_myname; + fstring myname; + fstrcpy(myname, global_myname); + strlower(myname); + asprintf(&s, "kinit 'HOST/%s@%s'", global_myname, ads->realm); + DEBUG(0,("HACK!! Running %s\n", s)); + f = popen(s, "w"); + if (f) { + fprintf(f,"%s\n", ads->password); + fflush(f); + fclose(f); + } + free(s); +} + /* verify an incoming ticket and parse out the principal name and authorization_data if available diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c index 14fd716058..287ea225a1 100644 --- a/source3/libads/ldap.c +++ b/source3/libads/ldap.c @@ -70,6 +70,10 @@ int ads_connect(ADS_STRUCT *ads) } ldap_set_option(ads->ld, LDAP_OPT_PROTOCOL_VERSION, &version); + if (ads->password) { + kerberos_kinit_password(ads); + } + rc = ldap_sasl_interactive_bind_s(ads->ld, NULL, NULL, NULL, NULL, LDAP_SASL_QUIET, sasl_interact, NULL); diff --git a/source3/nsswitch/winbindd_ads.c b/source3/nsswitch/winbindd_ads.c index 145f2b68d1..edf4d45c38 100644 --- a/source3/nsswitch/winbindd_ads.c +++ b/source3/nsswitch/winbindd_ads.c @@ -38,7 +38,7 @@ static ADS_STRUCT *ads_cached_connection(struct winbindd_domain *domain) return (ADS_STRUCT *)domain->private; } - ads = ads_init(NULL, NULL, NULL); + ads = ads_init(NULL, NULL, NULL, secrets_fetch_machine_password()); if (!ads) { DEBUG(1,("ads_init for domain %s failed\n", domain->name)); return NULL; diff --git a/source3/smbd/negprot.c b/source3/smbd/negprot.c index 78d4da3a75..b99d239540 100644 --- a/source3/smbd/negprot.c +++ b/source3/smbd/negprot.c @@ -186,7 +186,7 @@ static int negprot_spnego(char *p) #endif { ADS_STRUCT *ads; - ads = ads_init(NULL, NULL, NULL); + ads = ads_init(NULL, NULL, NULL, NULL); /* win2000 uses host$@REALM, which we will probably use eventually, but for now this works */ diff --git a/source3/smbd/sesssetup.c b/source3/smbd/sesssetup.c index 35155c0dec..8e7ee38504 100644 --- a/source3/smbd/sesssetup.c +++ b/source3/smbd/sesssetup.c @@ -87,7 +87,7 @@ static int reply_spnego_kerberos(connection_struct *conn, return ERROR_NT(NT_STATUS_LOGON_FAILURE); } - ads = ads_init(NULL, NULL, NULL); + ads = ads_init(NULL, NULL, NULL, NULL); ret = ads_verify_ticket(ads, &ticket, &client, &auth_data); if (!NT_STATUS_IS_OK(ret)) { diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c index a1ea063b20..c956d9bb65 100644 --- a/source3/utils/net_ads.c +++ b/source3/utils/net_ads.c @@ -44,7 +44,7 @@ static ADS_STRUCT *ads_startup(void) { ADS_STRUCT *ads; int rc; - ads = ads_init(NULL, NULL, NULL); + ads = ads_init(NULL, NULL, NULL, NULL); rc = ads_connect(ads); if (rc) { |