diff options
| author | Andrew Bartlett <abartlet@samba.org> | 2005-10-20 03:47:55 +0000 |
|---|---|---|
| committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 13:45:00 -0500 |
| commit | 372ca26b2052e267711a45c8bf341f55505f3f8f (patch) | |
| tree | 8c13e34fdac62ca762972d25cfe95b053bff93fa /source4/auth/credentials/credentials_files.c | |
| parent | 9e25f33a1a06e1374bb643cb087af0e0bedb99c7 (diff) | |
| download | samba-372ca26b2052e267711a45c8bf341f55505f3f8f.tar.gz samba-372ca26b2052e267711a45c8bf341f55505f3f8f.tar.bz2 samba-372ca26b2052e267711a45c8bf341f55505f3f8f.zip | |
r11200: Reposition the creation of the kerberos keytab for GSSAPI and Krb5
authentication. This pulls the creating of the keytab back to the
credentials code, and removes the special case of 'use keberos keytab
= yes' for now.
This allows (and requires) the callers to specify the credentials for
the server credentails to GENSEC. This allows kpasswdd (soon to be
added) to use a different set of kerberos credentials.
The 'use kerberos keytab' code will be moved into the credentials
layer, as the layers below now expect a keytab.
We also now allow for the old secret to be stored into the
credentials, allowing service password changes.
Andrew Bartlett
(This used to be commit 205f77c579ac8680c85f713a76de5767189c627b)
Diffstat (limited to 'source4/auth/credentials/credentials_files.c')
| -rw-r--r-- | source4/auth/credentials/credentials_files.c | 57 |
1 files changed, 53 insertions, 4 deletions
diff --git a/source4/auth/credentials/credentials_files.c b/source4/auth/credentials/credentials_files.c index 353ff61720..aa0a7f3213 100644 --- a/source4/auth/credentials/credentials_files.c +++ b/source4/auth/credentials/credentials_files.c @@ -164,7 +164,9 @@ BOOL cli_credentials_parse_file(struct cli_credentials *cred, const char *file, * @param cred Credentials structure to fill in * @retval NTSTATUS error detailing any failure */ -NTSTATUS cli_credentials_set_machine_account(struct cli_credentials *cred) +static NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred, + const char *base, + const char *filter) { TALLOC_CTX *mem_ctx; @@ -184,6 +186,7 @@ NTSTATUS cli_credentials_set_machine_account(struct cli_credentials *cred) const char *machine_account; const char *password; + const char *old_password; const char *domain; const char *realm; enum netr_SchannelType sct; @@ -201,10 +204,9 @@ NTSTATUS cli_credentials_set_machine_account(struct cli_credentials *cred) /* search for the secret record */ ldb_ret = gendb_search(ldb, - mem_ctx, ldb_dn_explode(mem_ctx, SECRETS_PRIMARY_DOMAIN_DN), + mem_ctx, ldb_dn_explode(mem_ctx, base), &msgs, attrs, - SECRETS_PRIMARY_DOMAIN_FILTER, - cli_credentials_get_domain(cred)); + "%s", filter); if (ldb_ret == 0) { DEBUG(1, ("Could not find join record to domain: %s\n", cli_credentials_get_domain(cred))); @@ -218,6 +220,7 @@ NTSTATUS cli_credentials_set_machine_account(struct cli_credentials *cred) } password = ldb_msg_find_string(msgs[0], "secret", NULL); + old_password = ldb_msg_find_string(msgs[0], "priorSecret", NULL); machine_account = ldb_msg_find_string(msgs[0], "samAccountName", NULL); @@ -278,6 +281,52 @@ NTSTATUS cli_credentials_set_machine_account(struct cli_credentials *cred) } /** + * Fill in credentials for the machine trust account, from the secrets database. + * + * @param cred Credentials structure to fill in + * @retval NTSTATUS error detailing any failure + */ +NTSTATUS cli_credentials_set_machine_account(struct cli_credentials *cred) +{ + char *filter = talloc_asprintf(cred, SECRETS_PRIMARY_DOMAIN_FILTER, + cli_credentials_get_domain(cred)); + return cli_credentials_set_secrets(cred, SECRETS_PRIMARY_DOMAIN_DN, + filter); +} + +/** + * Fill in credentials for the machine trust account, from the secrets database. + * + * @param cred Credentials structure to fill in + * @retval NTSTATUS error detailing any failure + */ +NTSTATUS cli_credentials_set_krbtgt(struct cli_credentials *cred) +{ + char *filter = talloc_asprintf(cred, SECRETS_KRBTGT_SEARCH, + cli_credentials_get_realm(cred), + cli_credentials_get_domain(cred)); + return cli_credentials_set_secrets(cred, SECRETS_PRINCIPALS_DN, + filter); +} + +/** + * Fill in credentials for the machine trust account, from the secrets database. + * + * @param cred Credentials structure to fill in + * @retval NTSTATUS error detailing any failure + */ +NTSTATUS cli_credentials_set_stored_principal(struct cli_credentials *cred, + const char *serviceprincipal) +{ + char *filter = talloc_asprintf(cred, SECRETS_PRINCIPAL_SEARCH, + cli_credentials_get_realm(cred), + cli_credentials_get_domain(cred), + serviceprincipal); + return cli_credentials_set_secrets(cred, SECRETS_PRINCIPALS_DN, + filter); +} + +/** * Ask that when required, the credentials system will be filled with * machine trust account, from the secrets database. * |