summaryrefslogtreecommitdiff
path: root/source3/nsswitch
diff options
context:
space:
mode:
authorTim Potter <tpot@samba.org>2001-12-11 05:19:15 +0000
committerTim Potter <tpot@samba.org>2001-12-11 05:19:15 +0000
commit6cc5e2edc1018a30b9ef16f2572849790ab490d1 (patch)
tree3e55db5b5e67d747a5c61ccfb542a84678a448c8 /source3/nsswitch
parentf4dfa9b6b26020c32c6e8452ea6b5bfb8e631981 (diff)
downloadsamba-6cc5e2edc1018a30b9ef16f2572849790ab490d1.tar.gz
samba-6cc5e2edc1018a30b9ef16f2572849790ab490d1.tar.bz2
samba-6cc5e2edc1018a30b9ef16f2572849790ab490d1.zip
Modify winbindd to use authenticated user info from secrets.tdb when making
IPC$ connections to domain controllers. (This used to be commit 1217ef28a6c18c085fcb2eac3bf04866c166d959)
Diffstat (limited to 'source3/nsswitch')
-rw-r--r--source3/nsswitch/winbindd.h5
-rw-r--r--source3/nsswitch/winbindd_cm.c31
2 files changed, 34 insertions, 2 deletions
diff --git a/source3/nsswitch/winbindd.h b/source3/nsswitch/winbindd.h
index 40514cc83a..2a6fa22961 100644
--- a/source3/nsswitch/winbindd.h
+++ b/source3/nsswitch/winbindd.h
@@ -194,4 +194,9 @@ typedef struct {
#define SETENV(name, value, overwrite) ;
#endif
+/* Authenticated user info is stored in secrets.tdb under these keys */
+
+#define SECRETS_AUTH_USER "SECRETS/AUTH_USER"
+#define SECRETS_AUTH_PASSWORD "SECRETS/AUTH_PASSWORD"
+
#endif /* _WINBINDD_H */
diff --git a/source3/nsswitch/winbindd_cm.c b/source3/nsswitch/winbindd_cm.c
index 987b28e09c..31ab61a7de 100644
--- a/source3/nsswitch/winbindd_cm.c
+++ b/source3/nsswitch/winbindd_cm.c
@@ -182,6 +182,34 @@ static BOOL cm_get_dc_name(char *domain, fstring srv_name)
return True;
}
+/* Choose between anonymous or authenticated connections. We need to use
+ an authenticated connection if DCs have the RestrictAnonymous registry
+ entry set > 0, or the "Additional restrictions for anonymous
+ connections" set in the win2k Local Security Policy. */
+
+void cm_init_creds(struct ntuser_creds *creds)
+{
+ char *username, *password;
+
+ ZERO_STRUCTP(creds);
+
+ creds->pwd.null_pwd = True; /* anonymoose */
+
+ username = secrets_fetch(SECRETS_AUTH_USER, NULL);
+ password = secrets_fetch(SECRETS_AUTH_PASSWORD, NULL);
+
+ if (username && *username) {
+ pwd_set_cleartext(&creds->pwd, password);
+
+ fstrcpy(creds->user_name, username);
+ fstrcpy(creds->domain, lp_workgroup());
+
+ DEBUG(3, ("IPC$ connections done %s\\%s\n", creds->domain,
+ creds->user_name));
+ } else
+ DEBUG(3, ("IPC$ connections done anonymously\n"));
+}
+
/* Open a new smb pipe connection to a DC on a given domain. Cache
negative creation attempts so we don't try and connect to broken
machines too often. */
@@ -257,8 +285,7 @@ static BOOL cm_open_connection(char *domain, char *pipe_name,
make_nmb_name(&called, dns_to_netbios_name(new_conn->controller), 0x20);
make_nmb_name(&calling, dns_to_netbios_name(global_myname), 0);
- ZERO_STRUCT(creds);
- creds.pwd.null_pwd = 1;
+ cm_init_creds(&creds);
cli_init_creds(new_conn->cli, &creds);