diff options
author | Andrew Bartlett <abartlet@samba.org> | 2005-12-14 07:22:25 +0000 |
---|---|---|
committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 13:47:22 -0500 |
commit | a1827a1deba04e0b4b2a508dc4e4e66603a46d16 (patch) | |
tree | 47e9a16077efa868d1e4368990dc158d32e8ffe0 /source4/auth/credentials | |
parent | 470ba9434a3f10f8a53bacaac89204700adb89c4 (diff) | |
download | samba-a1827a1deba04e0b4b2a508dc4e4e66603a46d16.tar.gz samba-a1827a1deba04e0b4b2a508dc4e4e66603a46d16.tar.bz2 samba-a1827a1deba04e0b4b2a508dc4e4e66603a46d16.zip |
r12227: I realised that I wasn't yet seeing authenticated LDAP for the ldb
backend.
The idea is that every time we open an LDB, we can provide a
session_info and/or credentials. This would allow any ldb to be remote
to LDAP. We should also support provisioning to a authenticated ldap
server.
(They are separate so we can say authenticate as foo for remote, but
here we just want a token of SYSTEM).
Andrew Bartlett
(This used to be commit ae2f3a64ee0b07575624120db45299c65204210b)
Diffstat (limited to 'source4/auth/credentials')
-rw-r--r-- | source4/auth/credentials/credentials.c | 4 | ||||
-rw-r--r-- | source4/auth/credentials/credentials_files.c | 39 |
2 files changed, 37 insertions, 6 deletions
diff --git a/source4/auth/credentials/credentials.c b/source4/auth/credentials/credentials.c index 22b7772182..0e37fdc4a6 100644 --- a/source4/auth/credentials/credentials.c +++ b/source4/auth/credentials/credentials.c @@ -171,6 +171,10 @@ BOOL cli_credentials_set_principal_callback(struct cli_credentials *cred, BOOL cli_credentials_authentication_requested(struct cli_credentials *cred) { + if (cred->machine_account_pending) { + cli_credentials_set_machine_account(cred); + } + if (cred->principal_obtained >= CRED_SPECIFIED) { return True; } diff --git a/source4/auth/credentials/credentials_files.c b/source4/auth/credentials/credentials_files.c index 6b3c77c4e3..1f7a7cf435 100644 --- a/source4/auth/credentials/credentials_files.c +++ b/source4/auth/credentials/credentials_files.c @@ -208,6 +208,8 @@ NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred, /* Local secrets are stored in secrets.ldb */ ldb = secrets_db_connect(mem_ctx); if (!ldb) { + /* set anonymous as the fallback, if the machine account won't work */ + cli_credentials_set_anonymous(cred); DEBUG(1, ("Could not open secrets.ldb\n")); return NT_STATUS_CANT_ACCESS_DOMAIN_INFO; } @@ -220,11 +222,15 @@ NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred, if (ldb_ret == 0) { DEBUG(1, ("Could not find entry to match filter: %s\n", filter)); + /* set anonymous as the fallback, if the machine account won't work */ + cli_credentials_set_anonymous(cred); talloc_free(mem_ctx); return NT_STATUS_CANT_ACCESS_DOMAIN_INFO; } else if (ldb_ret != 1) { DEBUG(1, ("Found more than one (%d) entry to match filter: %s\n", ldb_ret, filter)); + /* set anonymous as the fallback, if the machine account won't work */ + cli_credentials_set_anonymous(cred); talloc_free(mem_ctx); return NT_STATUS_CANT_ACCESS_DOMAIN_INFO; } @@ -237,6 +243,8 @@ NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred, if (!machine_account) { DEBUG(1, ("Could not find 'samAccountName' in join record to domain: %s\n", cli_credentials_get_domain(cred))); + /* set anonymous as the fallback, if the machine account won't work */ + cli_credentials_set_anonymous(cred); talloc_free(mem_ctx); return NT_STATUS_CANT_ACCESS_DOMAIN_INFO; } @@ -262,6 +270,10 @@ NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred, DEBUG(1, ("Could not find 'secret' in join record to domain: %s\n", cli_credentials_get_domain(cred))); + + /* set anonymous as the fallback, if the machine account won't work */ + cli_credentials_set_anonymous(cred); + talloc_free(mem_ctx); return NT_STATUS_CANT_ACCESS_DOMAIN_INFO; } @@ -312,7 +324,12 @@ NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred, */ NTSTATUS cli_credentials_set_machine_account(struct cli_credentials *cred) { - char *filter = talloc_asprintf(cred, SECRETS_PRIMARY_DOMAIN_FILTER, + char *filter; + /* Bleh, nasty recursion issues: We are setting a machine + * account here, so we don't want the 'pending' flag around + * any more */ + cred->machine_account_pending = False; + filter = talloc_asprintf(cred, SECRETS_PRIMARY_DOMAIN_FILTER, cli_credentials_get_domain(cred)); return cli_credentials_set_secrets(cred, SECRETS_PRIMARY_DOMAIN_DN, filter); @@ -326,7 +343,12 @@ NTSTATUS cli_credentials_set_machine_account(struct cli_credentials *cred) */ NTSTATUS cli_credentials_set_krbtgt(struct cli_credentials *cred) { - char *filter = talloc_asprintf(cred, SECRETS_KRBTGT_SEARCH, + char *filter; + /* Bleh, nasty recursion issues: We are setting a machine + * account here, so we don't want the 'pending' flag around + * any more */ + cred->machine_account_pending = False; + filter = talloc_asprintf(cred, SECRETS_KRBTGT_SEARCH, cli_credentials_get_realm(cred), cli_credentials_get_domain(cred)); return cli_credentials_set_secrets(cred, SECRETS_PRINCIPALS_DN, @@ -342,10 +364,15 @@ NTSTATUS cli_credentials_set_krbtgt(struct cli_credentials *cred) NTSTATUS cli_credentials_set_stored_principal(struct cli_credentials *cred, const char *serviceprincipal) { - char *filter = talloc_asprintf(cred, SECRETS_PRINCIPAL_SEARCH, - cli_credentials_get_realm(cred), - cli_credentials_get_domain(cred), - serviceprincipal); + char *filter; + /* Bleh, nasty recursion issues: We are setting a machine + * account here, so we don't want the 'pending' flag around + * any more */ + cred->machine_account_pending = False; + filter = talloc_asprintf(cred, SECRETS_PRINCIPAL_SEARCH, + cli_credentials_get_realm(cred), + cli_credentials_get_domain(cred), + serviceprincipal); return cli_credentials_set_secrets(cred, SECRETS_PRINCIPALS_DN, filter); } |