summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMichael Adam <obnox@samba.org>2007-12-11 13:59:54 +0100
committerMichael Adam <obnox@samba.org>2007-12-13 10:15:18 +0100
commit1084151442552e63c0b9b310273d8d42711aa55c (patch)
tree3ae3b6cf3373af98063aaba6bd4637996a19c9f2
parentfe969f9a7fdf823b7701d4cc4cfd55dac81ca90e (diff)
downloadsamba-1084151442552e63c0b9b310273d8d42711aa55c.tar.gz
samba-1084151442552e63c0b9b310273d8d42711aa55c.tar.bz2
samba-1084151442552e63c0b9b310273d8d42711aa55c.zip
Export logic of get_trust_pw() to new function get_trust_pw_clear().
get_trust_pw() just now computes the md4 hash of the result of get_trust_pw_clear() if that was successful. As a last resort, in the non-trusted-domain-situation, get_trust_pw() now tries to directly obtain the hashed version of the password out of secrets.tdb. Michael (This used to be commit 4562342eb84e6fdcec15d8b7ae83aa146aabe2b7)
-rw-r--r--source3/passdb/passdb.c74
1 files changed, 58 insertions, 16 deletions
diff --git a/source3/passdb/passdb.c b/source3/passdb/passdb.c
index f9b972da9b..488458fc85 100644
--- a/source3/passdb/passdb.c
+++ b/source3/passdb/passdb.c
@@ -1521,58 +1521,100 @@ bool pdb_increment_bad_password_count(struct samu *sampass)
return True;
}
+bool is_trusted_domain_situation(const char *domain_name)
+{
+ return IS_DC &&
+ lp_allow_trusted_domains() &&
+ !strequal(domain_name, lp_workgroup());
+}
/*******************************************************************
- Wrapper around retrieving the trust account password.
+ Wrapper around retrieving the clear text trust account password.
appropriate account name is stored in account_name.
+ Caller must free password, but not account_name.
*******************************************************************/
-bool get_trust_pw(const char *domain, uint8 ret_pwd[16],
- const char **account_name, uint32 *channel)
+bool get_trust_pw_clear(const char *domain, char **ret_pwd,
+ const char **account_name, uint32 *channel)
{
DOM_SID sid;
char *pwd;
time_t last_set_time;
/* if we are a DC and this is not our domain, then lookup an account
- for the domain trust */
+ * for the domain trust */
- if (IS_DC && !strequal(domain, lp_workgroup()) &&
- lp_allow_trusted_domains())
- {
- if (!pdb_get_trusteddom_pw(domain, &pwd, &sid, &last_set_time))
+ if (is_trusted_domain_situation(domain)) {
+ if (!pdb_get_trusteddom_pw(domain, ret_pwd, &sid,
+ &last_set_time))
{
DEBUG(0, ("get_trust_pw: could not fetch trust "
"account password for trusted domain %s\n",
domain));
- return False;
+ return false;
}
*channel = SEC_CHAN_DOMAIN;
- E_md4hash(pwd, ret_pwd);
- SAFE_FREE(pwd);
if (account_name != NULL) {
*account_name = lp_workgroup();
}
- return True;
+ return true;
}
/* Just get the account for the requested domain. In the future this
* might also cover to be member of more than one domain. */
- if (secrets_fetch_trust_account_password(domain, ret_pwd,
- &last_set_time, channel))
+ pwd = secrets_fetch_machine_password(domain, &last_set_time, channel);
+
+ if (pwd != NULL) {
+ *ret_pwd = pwd;
+ if (account_name != NULL) {
+ *account_name = global_myname();
+ }
+
+ return true;
+ }
+
+ DEBUG(5, ("get_trust_pw_clear: could not fetch clear text trust "
+ "account password for domain %s\n", domain));
+ return false;
+}
+
+/*******************************************************************
+ Wrapper around retrieving the trust account password.
+ appropriate account name is stored in account_name.
+*******************************************************************/
+
+bool get_trust_pw(const char *domain, uint8 ret_pwd[16],
+ const char **account_name, uint32 *channel)
+{
+ char *pwd = NULL;
+ time_t last_set_time;
+
+ if (get_trust_pw_clear(domain, &pwd, account_name, channel)) {
+ E_md4hash(pwd, ret_pwd);
+ SAFE_FREE(pwd);
+ return true;
+ } else if (is_trusted_domain_situation(domain)) {
+ return false;
+ }
+
+ /* as a fallback, try to get the hashed pwd directly from the tdb... */
+
+ if (secrets_fetch_trust_account_password_legacy(domain, ret_pwd,
+ &last_set_time,
+ channel))
{
if (account_name != NULL) {
*account_name = global_myname();
}
- return True;
+ return true;
}
- DEBUG(5, ("get_trust_pw: could not fetch trust account "
+ DEBUG(5, ("get_trust_pw_hash: could not fetch trust account "
"password for domain %s\n", domain));
return False;
}