summaryrefslogtreecommitdiff
path: root/source4/auth/credentials
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2006-01-24 05:31:08 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 13:51:26 -0500
commit28d78c40ade22c4b5d445dbe23f18ca210e41f8c (patch)
treed3cd9bdaca50e4cd7af031f1b2550836b9190417 /source4/auth/credentials
parentfc29c3250af5fbcd81725e38fb48ca1ec5ae23bf (diff)
downloadsamba-28d78c40ade22c4b5d445dbe23f18ca210e41f8c.tar.gz
samba-28d78c40ade22c4b5d445dbe23f18ca210e41f8c.tar.bz2
samba-28d78c40ade22c4b5d445dbe23f18ca210e41f8c.zip
r13107: Follow the lead of Heimdal's kpasswdd and use the HDB (hdb-ldb in our
case) as the keytab. This avoids issues in replicated setups, as we will replicate the kpasswd key correctly (including from windows, which is why I care at the moment). Andrew Bartlett (This used to be commit 849500d1aa658817052423051b1f5d0b7a1db8e0)
Diffstat (limited to 'source4/auth/credentials')
-rw-r--r--source4/auth/credentials/credentials_files.c29
-rw-r--r--source4/auth/credentials/credentials_krb5.c14
2 files changed, 24 insertions, 19 deletions
diff --git a/source4/auth/credentials/credentials_files.c b/source4/auth/credentials/credentials_files.c
index 219869cf3a..53350b8ed0 100644
--- a/source4/auth/credentials/credentials_files.c
+++ b/source4/auth/credentials/credentials_files.c
@@ -267,17 +267,12 @@ NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred,
cli_credentials_set_nt_hash(cred, &hash, CRED_SPECIFIED);
} else {
-
- DEBUG(1, ("Could not find 'secret' in join record to domain: %s\n",
- cli_credentials_get_domain(cred)));
-
- /* set anonymous as the fallback, if the machine account won't work */
- cli_credentials_set_anonymous(cred);
-
- talloc_free(mem_ctx);
- return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
+ cli_credentials_set_password(cred, NULL, CRED_SPECIFIED);
}
+ } else {
+ cli_credentials_set_password(cred, password, CRED_SPECIFIED);
}
+
domain = ldb_msg_find_string(msgs[0], "flatname", NULL);
if (domain) {
@@ -290,9 +285,6 @@ NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred,
}
cli_credentials_set_username(cred, machine_account, CRED_SPECIFIED);
- if (password) {
- cli_credentials_set_password(cred, password, CRED_SPECIFIED);
- }
cli_credentials_set_kvno(cred, ldb_msg_find_int(msgs[0], "msDS-KeyVersionNumber", 0));
@@ -417,13 +409,14 @@ NTSTATUS cli_credentials_update_all_keytabs(TALLOC_CTX *parent_ctx)
return NT_STATUS_ACCESS_DENIED;
}
- /* search for the secret record */
+ /* search for the secret record, but only of things we can
+ * actually update */
ldb_ret = gendb_search(ldb,
mem_ctx, NULL,
&msgs, attrs,
- "objectClass=kerberosSecret");
+ "(&(objectClass=kerberosSecret)(|(secret=*)(ntPwdHash=*)))");
if (ldb_ret == -1) {
- DEBUG(1, ("Error looking for kerberos type secrets to push into a keytab"));
+ DEBUG(1, ("Error looking for kerberos type secrets to push into a keytab:: %s", ldb_errstring(ldb)));
talloc_free(mem_ctx);
return NT_STATUS_INTERNAL_DB_CORRUPTION;
}
@@ -442,15 +435,13 @@ NTSTATUS cli_credentials_update_all_keytabs(TALLOC_CTX *parent_ctx)
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("Failed to read secrets for keytab update for %s\n",
filter));
- talloc_free(mem_ctx);
- return status;
+ continue;
}
ret = cli_credentials_update_keytab(creds);
if (ret != 0) {
DEBUG(1, ("Failed to update keytab for %s\n",
filter));
- talloc_free(mem_ctx);
- return NT_STATUS_UNSUCCESSFUL;
+ continue;
}
}
return NT_STATUS_OK;
diff --git a/source4/auth/credentials/credentials_krb5.c b/source4/auth/credentials/credentials_krb5.c
index 5f40ca1046..29b70d9a53 100644
--- a/source4/auth/credentials/credentials_krb5.c
+++ b/source4/auth/credentials/credentials_krb5.c
@@ -43,6 +43,20 @@ int cli_credentials_get_krb5_context(struct cli_credentials *cred,
return 0;
}
+/* This needs to be called directly after the cli_credentials_init(),
+ * otherwise we might have problems with the krb5 context already
+ * being here.
+ */
+NTSTATUS cli_credentials_set_krb5_context(struct cli_credentials *cred,
+ struct smb_krb5_context *smb_krb5_context)
+{
+ if (!talloc_reference(cred, smb_krb5_context)) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ cred->smb_krb5_context = smb_krb5_context;
+ return NT_STATUS_OK;
+}
+
int cli_credentials_set_from_ccache(struct cli_credentials *cred,
enum credentials_obtained obtained)
{