diff options
author | Rafal Szczesniak <mimir@samba.org> | 2007-08-29 19:55:13 +0000 |
---|---|---|
committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 12:30:21 -0500 |
commit | 48853f0badc92b86c18ed3daad3d45f8d74c5cac (patch) | |
tree | 3f51213aaa0a87ae4826a7456134b0bbdfe7145e /source3/utils/net_rpc_join.c | |
parent | babab94fb9a900008c72ca6271dd04fa96175fab (diff) | |
download | samba-48853f0badc92b86c18ed3daad3d45f8d74c5cac.tar.gz samba-48853f0badc92b86c18ed3daad3d45f8d74c5cac.tar.bz2 samba-48853f0badc92b86c18ed3daad3d45f8d74c5cac.zip |
r24789: Add implementation of machine-authenticated connection to netlogon
pipe used when connecting to win2k and newer domain controllers. The
server may be configured to deny anonymous netlogon connections which
would stop domain join verification step. Still, winnt domains require
such smb sessions not to be authenticated using machine credentials.
Creds employed in smb session cannot have a username in upn form, so
provide the separate function to use machine account.
rafal
(This used to be commit 30d99d8ac3379caadc5bdb353977149d1ee16403)
Diffstat (limited to 'source3/utils/net_rpc_join.c')
-rw-r--r-- | source3/utils/net_rpc_join.c | 17 |
1 files changed, 16 insertions, 1 deletions
diff --git a/source3/utils/net_rpc_join.c b/source3/utils/net_rpc_join.c index 558de8d8b4..1097eb9575 100644 --- a/source3/utils/net_rpc_join.c +++ b/source3/utils/net_rpc_join.c @@ -42,14 +42,29 @@ **/ int net_rpc_join_ok(const char *domain, const char *server, struct in_addr *ip ) { + enum security_types sec; + unsigned int conn_flags = NET_FLAGS_PDC; uint32 neg_flags = NETLOGON_NEG_AUTH2_FLAGS|NETLOGON_NEG_SCHANNEL; struct cli_state *cli = NULL; struct rpc_pipe_client *pipe_hnd = NULL; struct rpc_pipe_client *netlogon_pipe = NULL; NTSTATUS ntret = NT_STATUS_UNSUCCESSFUL; + sec = (enum security_types)lp_security(); + + if (sec == SEC_ADS) { + /* Connect to IPC$ using machine account's credentials. We don't use anonymous + connection here, as it may be denied by server's local policy. */ + net_use_machine_account(); + + } else { + /* some servers (e.g. WinNT) don't accept machine-authenticated + smb connections */ + conn_flags |= NET_FLAGS_ANONYMOUS; + } + /* Connect to remote machine */ - if (!(cli = net_make_ipc_connection_ex(domain, server, ip, (NET_FLAGS_ANONYMOUS|NET_FLAGS_PDC)))) { + if (!(cli = net_make_ipc_connection_ex(domain, server, ip, conn_flags))) { return -1; } |