summaryrefslogtreecommitdiff
path: root/source3/passdb
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2003-04-21 14:09:03 +0000
committerAndrew Bartlett <abartlet@samba.org>2003-04-21 14:09:03 +0000
commitf071020f5e49837154581c97c5af5f84d0e2de89 (patch)
tree14c4f4c08cc935145926000a886f8dd718c66e93 /source3/passdb
parent06c99d15e217e265d51778268d5b859dff3c478c (diff)
downloadsamba-f071020f5e49837154581c97c5af5f84d0e2de89.tar.gz
samba-f071020f5e49837154581c97c5af5f84d0e2de89.tar.bz2
samba-f071020f5e49837154581c97c5af5f84d0e2de89.zip
Merge from HEAD - save the type of channel used to contact the DC.
This allows us to join as a BDC, without appearing on the network as one until we have the database replicated, and the admin changes the configuration. This also change the SID retreval order from secrets.tdb, so we no longer require a 'net rpc getsid' - the sid fetch during the domain join is sufficient. Also minor fixes to 'net'. Andrew Bartlett (This used to be commit 876e00fd112e4aaf7519eec27f382eb99ec7562a)
Diffstat (limited to 'source3/passdb')
-rw-r--r--source3/passdb/machine_sid.c15
-rw-r--r--source3/passdb/secrets.c102
2 files changed, 101 insertions, 16 deletions
diff --git a/source3/passdb/machine_sid.c b/source3/passdb/machine_sid.c
index 071af50877..a578ecc711 100644
--- a/source3/passdb/machine_sid.c
+++ b/source3/passdb/machine_sid.c
@@ -78,6 +78,7 @@ static void generate_random_sid(DOM_SID *sid)
static BOOL pdb_generate_sam_sid(void)
{
+ DOM_SID domain_sid;
char *fname = NULL;
BOOL is_dc = False;
@@ -97,8 +98,14 @@ static BOOL pdb_generate_sam_sid(void)
break;
}
+ if (is_dc) {
+ if (secrets_fetch_domain_sid(lp_workgroup(), &domain_sid)) {
+ sid_copy(global_sam_sid, &domain_sid);
+ return True;
+ }
+ }
+
if (secrets_fetch_domain_sid(global_myname(), global_sam_sid)) {
- DOM_SID domain_sid;
/* We got our sid. If not a pdc/bdc, we're done. */
if (!is_dc)
@@ -117,11 +124,11 @@ static BOOL pdb_generate_sam_sid(void)
if (!sid_equal(&domain_sid, global_sam_sid)) {
- /* Domain name sid doesn't match global sam sid. Re-store global sam sid as domain sid. */
+ /* Domain name sid doesn't match global sam sid. Re-store domain sid as 'local' sid. */
DEBUG(0,("pdb_generate_sam_sid: Mismatched SIDs as a pdc/bdc.\n"));
- if (!secrets_store_domain_sid(lp_workgroup(), global_sam_sid)) {
- DEBUG(0,("pdb_generate_sam_sid: Can't re-store domain SID as a pdc/bdc.\n"));
+ if (!secrets_store_domain_sid(global_myname(), &domain_sid)) {
+ DEBUG(0,("pdb_generate_sam_sid: Can't re-store domain SID for local sid as PDC/BDC.\n"));
return False;
}
return True;
diff --git a/source3/passdb/secrets.c b/source3/passdb/secrets.c
index db08d02714..63e67aa16a 100644
--- a/source3/passdb/secrets.c
+++ b/source3/passdb/secrets.c
@@ -222,25 +222,40 @@ BOOL secrets_lock_trust_account_password(const char *domain, BOOL dolock)
}
/************************************************************************
+ Routine to get the default secure channel type for trust accounts
+************************************************************************/
+
+uint32 get_default_sec_channel(void)
+{
+ if (lp_server_role() == ROLE_DOMAIN_BDC ||
+ lp_server_role() == ROLE_DOMAIN_PDC) {
+ return SEC_CHAN_BDC;
+ } else {
+ return SEC_CHAN_WKSTA;
+ }
+}
+
+/************************************************************************
Routine to get the trust account password for a domain.
The user of this function must have locked the trust password file using
the above call.
************************************************************************/
BOOL secrets_fetch_trust_account_password(const char *domain, uint8 ret_pwd[16],
- time_t *pass_last_set_time)
+ time_t *pass_last_set_time,
+ uint32 *channel)
{
struct machine_acct_pass *pass;
char *plaintext;
size_t size;
- plaintext = secrets_fetch_machine_password();
+ plaintext = secrets_fetch_machine_password(domain, pass_last_set_time,
+ channel);
if (plaintext) {
/* we have an ADS password - use that */
DEBUG(4,("Using ADS machine password\n"));
E_md4hash(plaintext, ret_pwd);
SAFE_FREE(plaintext);
- pass_last_set_time = 0;
return True;
}
@@ -257,6 +272,10 @@ BOOL secrets_fetch_trust_account_password(const char *domain, uint8 ret_pwd[16],
if (pass_last_set_time) *pass_last_set_time = pass->mod_time;
memcpy(ret_pwd, pass->hash, 16);
SAFE_FREE(pass);
+
+ if (channel)
+ *channel = get_default_sec_channel();
+
return True;
}
@@ -356,14 +375,42 @@ BOOL secrets_store_trusted_domain_password(const char* domain, smb_ucs2_t *uni_d
the password is assumed to be a null terminated ascii string
************************************************************************/
-BOOL secrets_store_machine_password(const char *pass)
+BOOL secrets_store_machine_password(const char *pass, const char *domain, uint32 sec_channel)
{
- char *key;
+ char *key = NULL;
BOOL ret;
- asprintf(&key, "%s/%s", SECRETS_MACHINE_PASSWORD, lp_workgroup());
+ uint32 last_change_time;
+ uint32 sec_channel_type;
+
+ asprintf(&key, "%s/%s", SECRETS_MACHINE_PASSWORD, domain);
+ if (!key)
+ return False;
strupper(key);
+
ret = secrets_store(key, pass, strlen(pass)+1);
- free(key);
+ SAFE_FREE(key);
+
+ if (!ret)
+ return ret;
+
+ asprintf(&key, "%s/%s", SECRETS_MACHINE_LAST_CHANGE_TIME, domain);
+ if (!key)
+ return False;
+ strupper(key);
+
+ SIVAL(&last_change_time, 0, time(NULL));
+ ret = secrets_store(key, &last_change_time, sizeof(last_change_time));
+ SAFE_FREE(key);
+
+ asprintf(&key, "%s/%s", SECRETS_MACHINE_SEC_CHANNEL_TYPE, domain);
+ if (!key)
+ return False;
+ strupper(key);
+
+ SIVAL(&sec_channel_type, 0, sec_channel);
+ ret = secrets_store(key, &sec_channel_type, sizeof(sec_channel_type));
+ SAFE_FREE(key);
+
return ret;
}
@@ -372,14 +419,45 @@ BOOL secrets_store_machine_password(const char *pass)
Routine to fetch the plaintext machine account password for a realm
the password is assumed to be a null terminated ascii string
************************************************************************/
-char *secrets_fetch_machine_password(void)
+char *secrets_fetch_machine_password(const char *domain,
+ time_t *pass_last_set_time,
+ uint32 *channel)
{
- char *key;
+ char *key = NULL;
char *ret;
- asprintf(&key, "%s/%s", SECRETS_MACHINE_PASSWORD, lp_workgroup());
+ asprintf(&key, "%s/%s", SECRETS_MACHINE_PASSWORD, domain);
strupper(key);
ret = (char *)secrets_fetch(key, NULL);
- free(key);
+ SAFE_FREE(key);
+
+ if (pass_last_set_time) {
+ size_t size;
+ uint32 *last_set_time;
+ asprintf(&key, "%s/%s", SECRETS_MACHINE_LAST_CHANGE_TIME, domain);
+ strupper(key);
+ last_set_time = secrets_fetch(key, &size);
+ if (last_set_time) {
+ *pass_last_set_time = IVAL(last_set_time,0);
+ } else {
+ *pass_last_set_time = 0;
+ }
+ SAFE_FREE(key);
+ }
+
+ if (channel) {
+ size_t size;
+ uint32 *channel_type;
+ asprintf(&key, "%s/%s", SECRETS_MACHINE_SEC_CHANNEL_TYPE, domain);
+ strupper(key);
+ channel_type = secrets_fetch(key, &size);
+ if (channel_type) {
+ *channel = IVAL(channel_type,0);
+ } else {
+ *channel = get_default_sec_channel();
+ }
+ SAFE_FREE(key);
+ }
+
return ret;
}
@@ -623,7 +701,7 @@ BOOL must_use_pdc( const char *domain )
time_t last_change_time;
unsigned char passwd[16];
- if ( !secrets_fetch_trust_account_password(domain, passwd, &last_change_time) )
+ if ( !secrets_fetch_trust_account_password(domain, passwd, &last_change_time, NULL) )
return False;
/*