diff options
author | Andrew Bartlett <abartlet@samba.org> | 2006-01-24 05:31:08 +0000 |
---|---|---|
committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 13:51:26 -0500 |
commit | 28d78c40ade22c4b5d445dbe23f18ca210e41f8c (patch) | |
tree | d3cd9bdaca50e4cd7af031f1b2550836b9190417 /source4/auth/credentials | |
parent | fc29c3250af5fbcd81725e38fb48ca1ec5ae23bf (diff) | |
download | samba-28d78c40ade22c4b5d445dbe23f18ca210e41f8c.tar.gz samba-28d78c40ade22c4b5d445dbe23f18ca210e41f8c.tar.bz2 samba-28d78c40ade22c4b5d445dbe23f18ca210e41f8c.zip |
r13107: Follow the lead of Heimdal's kpasswdd and use the HDB (hdb-ldb in our
case) as the keytab.
This avoids issues in replicated setups, as we will replicate the
kpasswd key correctly (including from windows, which is why I care at
the moment).
Andrew Bartlett
(This used to be commit 849500d1aa658817052423051b1f5d0b7a1db8e0)
Diffstat (limited to 'source4/auth/credentials')
-rw-r--r-- | source4/auth/credentials/credentials_files.c | 29 | ||||
-rw-r--r-- | source4/auth/credentials/credentials_krb5.c | 14 |
2 files changed, 24 insertions, 19 deletions
diff --git a/source4/auth/credentials/credentials_files.c b/source4/auth/credentials/credentials_files.c index 219869cf3a..53350b8ed0 100644 --- a/source4/auth/credentials/credentials_files.c +++ b/source4/auth/credentials/credentials_files.c @@ -267,17 +267,12 @@ NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred, cli_credentials_set_nt_hash(cred, &hash, CRED_SPECIFIED); } else { - - DEBUG(1, ("Could not find 'secret' in join record to domain: %s\n", - cli_credentials_get_domain(cred))); - - /* set anonymous as the fallback, if the machine account won't work */ - cli_credentials_set_anonymous(cred); - - talloc_free(mem_ctx); - return NT_STATUS_CANT_ACCESS_DOMAIN_INFO; + cli_credentials_set_password(cred, NULL, CRED_SPECIFIED); } + } else { + cli_credentials_set_password(cred, password, CRED_SPECIFIED); } + domain = ldb_msg_find_string(msgs[0], "flatname", NULL); if (domain) { @@ -290,9 +285,6 @@ NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred, } cli_credentials_set_username(cred, machine_account, CRED_SPECIFIED); - if (password) { - cli_credentials_set_password(cred, password, CRED_SPECIFIED); - } cli_credentials_set_kvno(cred, ldb_msg_find_int(msgs[0], "msDS-KeyVersionNumber", 0)); @@ -417,13 +409,14 @@ NTSTATUS cli_credentials_update_all_keytabs(TALLOC_CTX *parent_ctx) return NT_STATUS_ACCESS_DENIED; } - /* search for the secret record */ + /* search for the secret record, but only of things we can + * actually update */ ldb_ret = gendb_search(ldb, mem_ctx, NULL, &msgs, attrs, - "objectClass=kerberosSecret"); + "(&(objectClass=kerberosSecret)(|(secret=*)(ntPwdHash=*)))"); if (ldb_ret == -1) { - DEBUG(1, ("Error looking for kerberos type secrets to push into a keytab")); + DEBUG(1, ("Error looking for kerberos type secrets to push into a keytab:: %s", ldb_errstring(ldb))); talloc_free(mem_ctx); return NT_STATUS_INTERNAL_DB_CORRUPTION; } @@ -442,15 +435,13 @@ NTSTATUS cli_credentials_update_all_keytabs(TALLOC_CTX *parent_ctx) if (!NT_STATUS_IS_OK(status)) { DEBUG(1, ("Failed to read secrets for keytab update for %s\n", filter)); - talloc_free(mem_ctx); - return status; + continue; } ret = cli_credentials_update_keytab(creds); if (ret != 0) { DEBUG(1, ("Failed to update keytab for %s\n", filter)); - talloc_free(mem_ctx); - return NT_STATUS_UNSUCCESSFUL; + continue; } } return NT_STATUS_OK; diff --git a/source4/auth/credentials/credentials_krb5.c b/source4/auth/credentials/credentials_krb5.c index 5f40ca1046..29b70d9a53 100644 --- a/source4/auth/credentials/credentials_krb5.c +++ b/source4/auth/credentials/credentials_krb5.c @@ -43,6 +43,20 @@ int cli_credentials_get_krb5_context(struct cli_credentials *cred, return 0; } +/* This needs to be called directly after the cli_credentials_init(), + * otherwise we might have problems with the krb5 context already + * being here. + */ +NTSTATUS cli_credentials_set_krb5_context(struct cli_credentials *cred, + struct smb_krb5_context *smb_krb5_context) +{ + if (!talloc_reference(cred, smb_krb5_context)) { + return NT_STATUS_NO_MEMORY; + } + cred->smb_krb5_context = smb_krb5_context; + return NT_STATUS_OK; +} + int cli_credentials_set_from_ccache(struct cli_credentials *cred, enum credentials_obtained obtained) { |