diff options
| author | Tim Potter <tpot@samba.org> | 2001-12-11 05:19:15 +0000 |
|---|---|---|
| committer | Tim Potter <tpot@samba.org> | 2001-12-11 05:19:15 +0000 |
| commit | 6cc5e2edc1018a30b9ef16f2572849790ab490d1 (patch) | |
| tree | 3e55db5b5e67d747a5c61ccfb542a84678a448c8 /source3/nsswitch | |
| parent | f4dfa9b6b26020c32c6e8452ea6b5bfb8e631981 (diff) | |
| download | samba-6cc5e2edc1018a30b9ef16f2572849790ab490d1.tar.gz samba-6cc5e2edc1018a30b9ef16f2572849790ab490d1.tar.bz2 samba-6cc5e2edc1018a30b9ef16f2572849790ab490d1.zip | |
Modify winbindd to use authenticated user info from secrets.tdb when making
IPC$ connections to domain controllers.
(This used to be commit 1217ef28a6c18c085fcb2eac3bf04866c166d959)
Diffstat (limited to 'source3/nsswitch')
| -rw-r--r-- | source3/nsswitch/winbindd.h | 5 | ||||
| -rw-r--r-- | source3/nsswitch/winbindd_cm.c | 31 |
2 files changed, 34 insertions, 2 deletions
diff --git a/source3/nsswitch/winbindd.h b/source3/nsswitch/winbindd.h index 40514cc83a..2a6fa22961 100644 --- a/source3/nsswitch/winbindd.h +++ b/source3/nsswitch/winbindd.h @@ -194,4 +194,9 @@ typedef struct { #define SETENV(name, value, overwrite) ; #endif +/* Authenticated user info is stored in secrets.tdb under these keys */ + +#define SECRETS_AUTH_USER "SECRETS/AUTH_USER" +#define SECRETS_AUTH_PASSWORD "SECRETS/AUTH_PASSWORD" + #endif /* _WINBINDD_H */ diff --git a/source3/nsswitch/winbindd_cm.c b/source3/nsswitch/winbindd_cm.c index 987b28e09c..31ab61a7de 100644 --- a/source3/nsswitch/winbindd_cm.c +++ b/source3/nsswitch/winbindd_cm.c @@ -182,6 +182,34 @@ static BOOL cm_get_dc_name(char *domain, fstring srv_name) return True; } +/* Choose between anonymous or authenticated connections. We need to use + an authenticated connection if DCs have the RestrictAnonymous registry + entry set > 0, or the "Additional restrictions for anonymous + connections" set in the win2k Local Security Policy. */ + +void cm_init_creds(struct ntuser_creds *creds) +{ + char *username, *password; + + ZERO_STRUCTP(creds); + + creds->pwd.null_pwd = True; /* anonymoose */ + + username = secrets_fetch(SECRETS_AUTH_USER, NULL); + password = secrets_fetch(SECRETS_AUTH_PASSWORD, NULL); + + if (username && *username) { + pwd_set_cleartext(&creds->pwd, password); + + fstrcpy(creds->user_name, username); + fstrcpy(creds->domain, lp_workgroup()); + + DEBUG(3, ("IPC$ connections done %s\\%s\n", creds->domain, + creds->user_name)); + } else + DEBUG(3, ("IPC$ connections done anonymously\n")); +} + /* Open a new smb pipe connection to a DC on a given domain. Cache negative creation attempts so we don't try and connect to broken machines too often. */ @@ -257,8 +285,7 @@ static BOOL cm_open_connection(char *domain, char *pipe_name, make_nmb_name(&called, dns_to_netbios_name(new_conn->controller), 0x20); make_nmb_name(&calling, dns_to_netbios_name(global_myname), 0); - ZERO_STRUCT(creds); - creds.pwd.null_pwd = 1; + cm_init_creds(&creds); cli_init_creds(new_conn->cli, &creds); |