diff options
| author | Gerald Carter <jerry@samba.org> | 2006-05-12 15:17:35 +0000 |
|---|---|---|
| committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 11:16:57 -0500 |
| commit | 2c029a8b96ae476f1d5c2abe14ee25f98a1513d8 (patch) | |
| tree | d256cef6a5f4802549a599477c6bc8b4897d4ff0 /source3/sam | |
| parent | fc5f948260477e4c43e844be1abb09056174d69e (diff) | |
| download | samba-2c029a8b96ae476f1d5c2abe14ee25f98a1513d8.tar.gz samba-2c029a8b96ae476f1d5c2abe14ee25f98a1513d8.tar.bz2 samba-2c029a8b96ae476f1d5c2abe14ee25f98a1513d8.zip | |
r15543: New implementation of 'net ads join' to be more like Windows XP.
The motivating factor is to not require more privileges for
the user account than Windows does when joining a domain.
The points of interest are
* net_ads_join() uses same rpc mechanisms as net_rpc_join()
* Enable CLDAP queries for filling in the majority of the
ADS_STRUCT->config information
* Remove ldap_initialized() from sam/idmap_ad.c and
libads/ldap.c
* Remove some unnecessary fields from ADS_STRUCT
* Manually set the dNSHostName and servicePrincipalName attribute
using the machine account after the join
Thanks to Guenther and Simo for the review.
Still to do:
* Fix the userAccountControl for DES only systems
* Set the userPrincipalName in order to support things like
'kinit -k' (although we might be able to just use the sAMAccountName
instead)
* Re-add support for pre-creating the machine account in
a specific OU
(This used to be commit 4c4ea7b20f44cd200cef8c7b389d51b72eccc39b)
Diffstat (limited to 'source3/sam')
| -rw-r--r-- | source3/sam/idmap_ad.c | 38 |
1 files changed, 6 insertions, 32 deletions
diff --git a/source3/sam/idmap_ad.c b/source3/sam/idmap_ad.c index f9a959e7ec..0803f2a7ab 100644 --- a/source3/sam/idmap_ad.c +++ b/source3/sam/idmap_ad.c @@ -78,10 +78,6 @@ static ADS_STRUCT *ad_idmap_cached_connection(void) ADS_STATUS status; BOOL local = False; -#ifdef ADS_AUTH_EXTERNAL_BIND - local = ((strncmp(ad_idmap_uri, "ldapi://", sizeof("ldapi://") - 1)) == 0); -#endif /* ADS_AUTH_EXTERNAL_BIND */ - if (ad_idmap_ads != NULL) { ads = ad_idmap_ads; @@ -105,40 +101,18 @@ static ADS_STRUCT *ad_idmap_cached_connection(void) setenv("KRB5CCNAME", WINBIND_CCACHE_NAME, 1); } - ads = ads_init(NULL, NULL, NULL); + ads = ads_init(lp_realm(), lp_workgroup(), NULL); if (!ads) { DEBUG(1,("ads_init failed\n")); return NULL; } - /* if ad_imap_uri is not empty we try to connect to - * the given URI in smb.conf. Else try to connect to - * one of the DCs - */ - if (*ad_idmap_uri != '\0') { - ads->server.ldap_uri = SMB_STRDUP(ad_idmap_uri); - if (ads->server.ldap_uri == NULL) { - return NULL; - } - } - else { - ads->server.ldap_uri = NULL; - ads->server.ldap_server = NULL; - } + /* the machine acct password might have change - fetch it every time */ + SAFE_FREE(ads->auth.password); + ads->auth.password = secrets_fetch_machine_password(lp_workgroup(), NULL, NULL); -#ifdef ADS_AUTH_EXTERNAL_BIND - if (local) - ads->auth.flags |= ADS_AUTH_EXTERNAL_BIND; - else -#endif - { - /* the machine acct password might have change - fetch it every time */ - SAFE_FREE(ads->auth.password); - ads->auth.password = secrets_fetch_machine_password(lp_workgroup(), NULL, NULL); - - SAFE_FREE(ads->auth.realm); - ads->auth.realm = SMB_STRDUP(lp_realm()); - } + SAFE_FREE(ads->auth.realm); + ads->auth.realm = SMB_STRDUP(lp_realm()); status = ads_connect(ads); if (!ADS_ERR_OK(status)) { |