Merge branch 'v3-2-test' of git://git.samba.org/samba into v3-2-test

(This used to be commit 0de2b3eb515f2da21ffd1ce54979bb1f8063024b)
author: James Peach <jpeach@samba.org> 2007-12-13 20:56:53 -0800
committer: James Peach <jpeach@samba.org> 2007-12-13 20:56:53 -0800
commit: 7b457645fb40d7195d75f8e38883b140abcb1955 (patch)
tree: 90c3ca21cd40c98ed4c7c1580b75216f689fad97 /source3/rpc_client/cli_pipe.c
parent: 12ac4c3119b3b7712e670d95d61413d97ecafaef (diff)
parent: 138333ed1f571cd6bb76c3be655f70e35cd48a99 (diff)
download: samba-7b457645fb40d7195d75f8e38883b140abcb1955.tar.gz
samba-7b457645fb40d7195d75f8e38883b140abcb1955.tar.bz2
samba-7b457645fb40d7195d75f8e38883b140abcb1955.zip
1 files changed, 44 insertions, 82 deletions
diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
index 37558a7ff0..f61ea95d04 100644
--- a/source3/rpc_client/cli_pipe.c
+++ b/source3/rpc_client/cli_pipe.c
@@ -2424,49 +2424,29 @@ struct rpc_pipe_client *cli_rpc_pipe_open_spnego_ntlmssp(struct cli_state *cli,
 }
 
 /****************************************************************************
- Open a netlogon pipe and get the schannel session key.
- Now exposed to external callers.
+  Get a the schannel session key out of an already opened netlogon pipe.
  ****************************************************************************/
-
-struct rpc_pipe_client *get_schannel_session_key(struct cli_state *cli,
-							const char *domain,
-							uint32 *pneg_flags,
-							NTSTATUS *perr)
+static bool get_schannel_session_key_common(struct rpc_pipe_client *netlogon_pipe,
+					    struct cli_state *cli,
+					    const char *domain,
+					    uint32 *pneg_flags,
+					    NTSTATUS *perr)
 {
-	struct rpc_pipe_client *netlogon_pipe = NULL;
 	uint32 sec_chan_type = 0;
 	unsigned char machine_pwd[16];
-	fstring machine_account;
-
-	netlogon_pipe = cli_rpc_pipe_open_noauth(cli, PI_NETLOGON, perr);
-	if (!netlogon_pipe) {
-		return NULL;
-	}
+	const char *machine_account;
 
 	/* Get the machine account credentials from secrets.tdb. */
-	if (!get_trust_pw(domain, machine_pwd, &sec_chan_type)) {
+	if (!get_trust_pw_hash(domain, machine_pwd, &machine_account,
+			       &sec_chan_type))
+	{
 		DEBUG(0, ("get_schannel_session_key: could not fetch "
 			"trust account password for domain '%s'\n",
 			domain));
-		cli_rpc_pipe_close(netlogon_pipe);
 		*perr = NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
-		return NULL;
+		return false;
 	}
 
-	/* A DC should use DOMAIN$ as its account name.
-	   A member server can only use it's machine name since it
-	   does not have an account in a trusted domain.
-
-	   We don't check the domain against lp_workgroup() here since
-	   'net ads join' has to continue to work with only the realm
-	   specified in smb.conf.  -- jerry */
-
-        if ( IS_DC && !strequal(domain, lp_workgroup()) && lp_allow_trusted_domains()) {
-		fstrcpy( machine_account, lp_workgroup() );
-        } else {
-		fstrcpy(machine_account, global_myname());
-        }
-
 	*perr = rpccli_netlogon_setup_creds(netlogon_pipe,
 					cli->desthost, /* server name */
 					domain,	       /* domain */
@@ -2477,11 +2457,10 @@ struct rpc_pipe_client *get_schannel_session_key(struct cli_state *cli,
 					pneg_flags);
 
 	if (!NT_STATUS_IS_OK(*perr)) {
-		DEBUG(3,("get_schannel_session_key: rpccli_netlogon_setup_creds "
+		DEBUG(3,("get_schannel_session_key_common: rpccli_netlogon_setup_creds "
 			"failed with result %s to server %s, domain %s, machine account %s.\n",
 			nt_errstr(*perr), cli->desthost, domain, machine_account ));
-		cli_rpc_pipe_close(netlogon_pipe);
-		return NULL;
+		return false;
 	}
 
 	if (((*pneg_flags) & NETLOGON_NEG_SCHANNEL) == 0) {
@@ -2489,6 +2468,34 @@ struct rpc_pipe_client *get_schannel_session_key(struct cli_state *cli,
 			cli->desthost));
 		cli_rpc_pipe_close(netlogon_pipe);
 		*perr = NT_STATUS_INVALID_NETWORK_RESPONSE;
+		return false;
+	}
+
+	return true;
+}
+
+/****************************************************************************
+ Open a netlogon pipe and get the schannel session key.
+ Now exposed to external callers.
+ ****************************************************************************/
+
+
+struct rpc_pipe_client *get_schannel_session_key(struct cli_state *cli,
+							const char *domain,
+							uint32 *pneg_flags,
+							NTSTATUS *perr)
+{
+	struct rpc_pipe_client *netlogon_pipe = NULL;
+
+	netlogon_pipe = cli_rpc_pipe_open_noauth(cli, PI_NETLOGON, perr);
+	if (!netlogon_pipe) {
+		return NULL;
+	}
+
+	if (!get_schannel_session_key_common(netlogon_pipe, cli, domain,
+					     pneg_flags, perr))
+	{
+		cli_rpc_pipe_close(netlogon_pipe);
 		return NULL;
 	}
 
@@ -2560,61 +2567,16 @@ static struct rpc_pipe_client *get_schannel_session_key_auth_ntlmssp(struct cli_
 							NTSTATUS *perr)
 {
 	struct rpc_pipe_client *netlogon_pipe = NULL;
-	uint32 sec_chan_type = 0;
-	unsigned char machine_pwd[16];
-	fstring machine_account;
 
 	netlogon_pipe = cli_rpc_pipe_open_spnego_ntlmssp(cli, PI_NETLOGON, PIPE_AUTH_LEVEL_PRIVACY, domain, username, password, perr);
 	if (!netlogon_pipe) {
 		return NULL;
 	}
 
-	/* Get the machine account credentials from secrets.tdb. */
-	if (!get_trust_pw(domain, machine_pwd, &sec_chan_type)) {
-		DEBUG(0, ("get_schannel_session_key_auth_ntlmssp: could not fetch "
-			"trust account password for domain '%s'\n",
-			domain));
-		cli_rpc_pipe_close(netlogon_pipe);
-		*perr = NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
-		return NULL;
-	}
-
-        /* if we are a DC and this is a trusted domain, then we need to use our
-           domain name in the net_req_auth2() request */
-
-        if ( IS_DC && !strequal(domain, lp_workgroup()) && lp_allow_trusted_domains()) {
-		fstrcpy( machine_account, lp_workgroup() );
-        } else {
-                /* Hmmm. Is this correct for trusted domains when we're a member server ? JRA. */
-                if (strequal(domain, lp_workgroup())) {
-                        fstrcpy(machine_account, global_myname());
-                } else {
-                        fstrcpy(machine_account, domain);
-                }
-        }
-
-	*perr = rpccli_netlogon_setup_creds(netlogon_pipe,
-					cli->desthost,     /* server name */
-					domain,            /* domain */
-					global_myname(),   /* client name */
-					machine_account,   /* machine account name */
-					machine_pwd,
-					sec_chan_type,
-					pneg_flags);
-
-	if (!NT_STATUS_IS_OK(*perr)) {
-		DEBUG(3,("get_schannel_session_key_auth_ntlmssp: rpccli_netlogon_setup_creds "
-			"failed with result %s\n",
-			nt_errstr(*perr) ));
-		cli_rpc_pipe_close(netlogon_pipe);
-		return NULL;
-	}
-
-	if (((*pneg_flags) & NETLOGON_NEG_SCHANNEL) == 0) {
-		DEBUG(3, ("get_schannel_session_key_auth_ntlmssp: Server %s did not offer schannel\n",
-			cli->desthost));
+	if (!get_schannel_session_key_common(netlogon_pipe, cli, domain,
+					     pneg_flags, perr))
+	{
 		cli_rpc_pipe_close(netlogon_pipe);
-		*perr = NT_STATUS_INVALID_NETWORK_RESPONSE;
 		return NULL;
 	}
author	James Peach <jpeach@samba.org>	2007-12-13 20:56:53 -0800
committer	James Peach <jpeach@samba.org>	2007-12-13 20:56:53 -0800
commit	7b457645fb40d7195d75f8e38883b140abcb1955 (patch)
tree	90c3ca21cd40c98ed4c7c1580b75216f689fad97 /source3/rpc_client/cli_pipe.c
parent	12ac4c3119b3b7712e670d95d61413d97ecafaef (diff)
parent	138333ed1f571cd6bb76c3be655f70e35cd48a99 (diff)
download	samba-7b457645fb40d7195d75f8e38883b140abcb1955.tar.gz samba-7b457645fb40d7195d75f8e38883b140abcb1955.tar.bz2 samba-7b457645fb40d7195d75f8e38883b140abcb1955.zip