diff options
| author | Andrew Bartlett <abartlet@samba.org> | 2003-02-15 00:29:21 +0000 |
|---|---|---|
| committer | Andrew Bartlett <abartlet@samba.org> | 2003-02-15 00:29:21 +0000 |
| commit | e4202a9fe70785a0a5b47c90df696a880294d310 (patch) | |
| tree | 452600615827b27c95820d184ee495e476f57618 /source3/libsmb | |
| parent | 3b2693f1ae3b1e06d3015843d2933177fcb97a87 (diff) | |
| download | samba-e4202a9fe70785a0a5b47c90df696a880294d310.tar.gz samba-e4202a9fe70785a0a5b47c90df696a880294d310.tar.bz2 samba-e4202a9fe70785a0a5b47c90df696a880294d310.zip | |
Antti Andreimann <Antti.Andreimann@mail.ee> has done some changes to enable
users w/o full administrative access on computer accounts to join a
computer into AD domain.
The patch and detailed changelog is available at:
http://www.itcollege.ee/~aandreim/samba
This is a list of changes in general:
1. When creating machine account do not fail if SD cannot be changed.
setting SD is not mandatory and join will work perfectly without it.
2. Implement KPASSWD CHANGEPW protocol for changing trust password so
machine account does not need to have reset password right for itself.
3. Command line utilities no longer interfere with user's existing
kerberos ticket cache.
4. Command line utilities can do kerberos authentication even if
username is specified (-U). Initial TGT will be requested in this case.
I've modified the patch to share the kinit code, rather than copying it,
and updated it to current CVS. The other change included in the original patch
(local realms) has been left out for now.
Andrew Bartlett
(This used to be commit ce52f1c2ed4d3ddafe8ae6258c90b90fa434fe43)
Diffstat (limited to 'source3/libsmb')
| -rw-r--r-- | source3/libsmb/cliconnect.c | 22 | ||||
| -rw-r--r-- | source3/libsmb/clikrb5.c | 2 |
2 files changed, 23 insertions, 1 deletions
diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 9c7b168431..90a7eca8e7 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -446,6 +446,13 @@ static DATA_BLOB cli_session_setup_blob(struct cli_state *cli, DATA_BLOB blob) #ifdef HAVE_KRB5 /**************************************************************************** + Use in-memory credentials cache +****************************************************************************/ +static void use_in_memory_ccache() { + setenv(KRB5_ENV_CCNAME, "MEMORY:net_ads_testjoin", 1); +} + +/**************************************************************************** Do a spnego/kerberos encrypted session setup. ****************************************************************************/ @@ -656,6 +663,21 @@ static BOOL cli_session_setup_spnego(struct cli_state *cli, const char *user, fstrcpy(cli->user_name, user); #ifdef HAVE_KRB5 + /* If password is set we reauthenticate to kerberos server + * and do not store results */ + + if (*pass) { + int ret; + + use_in_memory_ccache(); + ret = kerberos_kinit_password(user, pass, 0 /* no time correction for now */); + + if (ret){ + DEBUG(0, ("Kinit failed: %s\n", error_message(ret))); + return False; + } + } + if (got_kerberos_mechanism && cli->use_kerberos) { return cli_session_setup_kerberos(cli, principal, workgroup); } diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c index 203d9d874b..e380d80bcc 100644 --- a/source3/libsmb/clikrb5.c +++ b/source3/libsmb/clikrb5.c @@ -278,6 +278,7 @@ DATA_BLOB krb5_get_ticket(const char *principal, time_t time_offset) ENCTYPE_ARCFOUR_HMAC, #endif ENCTYPE_DES_CBC_MD5, + ENCTYPE_DES_CBC_CRC, ENCTYPE_NULL}; retval = krb5_init_context(&context); @@ -324,7 +325,6 @@ failed: return data_blob(NULL, 0); } - #else /* HAVE_KRB5 */ /* this saves a few linking headaches */ DATA_BLOB krb5_get_ticket(const char *principal, time_t time_offset) |