diff options
author | Andrew Bartlett <abartlet@samba.org> | 2007-02-04 07:17:03 +0000 |
---|---|---|
committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 14:44:31 -0500 |
commit | 744dddd75be73e4e883241b808b37a12a7a39ac1 (patch) | |
tree | be0695eb7e6692452f515395663edb63df52d56e /source4/auth | |
parent | 627595b7a3c91d02fe8a29737beb77b2a4c4ae0f (diff) | |
download | samba-744dddd75be73e4e883241b808b37a12a7a39ac1.tar.gz samba-744dddd75be73e4e883241b808b37a12a7a39ac1.tar.bz2 samba-744dddd75be73e4e883241b808b37a12a7a39ac1.zip |
r21135: Instead of having hooks to update keytabs as an explicit thing, update
them as a hook on ldb modify, via a module.
This should allow the secrets.ldb to be edited by the admin, and to
have things update in the on-disk keytab just as an in-memory keytab
would.
This isn't really a dsdb plugin, but I don't have any other good ideas
about where to put it.
Andrew Bartlett
(This used to be commit 6ce557a1aff4754d2622be8f1c6695d9ee788d54)
Diffstat (limited to 'source4/auth')
-rw-r--r-- | source4/auth/credentials/credentials.c | 8 | ||||
-rw-r--r-- | source4/auth/credentials/credentials_files.c | 85 |
2 files changed, 18 insertions, 75 deletions
diff --git a/source4/auth/credentials/credentials.c b/source4/auth/credentials/credentials.c index 2a64a7c50c..48d44ad8e7 100644 --- a/source4/auth/credentials/credentials.c +++ b/source4/auth/credentials/credentials.c @@ -349,8 +349,12 @@ BOOL cli_credentials_set_nt_hash(struct cli_credentials *cred, { if (obtained >= cred->password_obtained) { cli_credentials_set_password(cred, NULL, obtained); - cred->nt_hash = talloc(cred, struct samr_Password); - *cred->nt_hash = *nt_hash; + if (nt_hash) { + cred->nt_hash = talloc(cred, struct samr_Password); + *cred->nt_hash = *nt_hash; + } else { + cred->nt_hash = NULL; + } return True; } diff --git a/source4/auth/credentials/credentials_files.c b/source4/auth/credentials/credentials_files.c index a0ce4a2fd1..006f242de9 100644 --- a/source4/auth/credentials/credentials_files.c +++ b/source4/auth/credentials/credentials_files.c @@ -169,12 +169,12 @@ BOOL cli_credentials_parse_file(struct cli_credentials *cred, const char *file, * @retval NTSTATUS error detailing any failure */ NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred, + struct ldb_context *ldb, const char *base, const char *filter) { TALLOC_CTX *mem_ctx; - struct ldb_context *ldb; int ldb_ret; struct ldb_message **msgs; const char *attrs[] = { @@ -209,13 +209,15 @@ NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred, mem_ctx = talloc_named(cred, 0, "cli_credentials fetch machine password"); - /* Local secrets are stored in secrets.ldb */ - ldb = secrets_db_connect(mem_ctx); if (!ldb) { - /* set anonymous as the fallback, if the machine account won't work */ - cli_credentials_set_anonymous(cred); - DEBUG(1, ("Could not open secrets.ldb\n")); - return NT_STATUS_CANT_ACCESS_DOMAIN_INFO; + /* Local secrets are stored in secrets.ldb */ + ldb = secrets_db_connect(mem_ctx); + if (!ldb) { + /* set anonymous as the fallback, if the machine account won't work */ + cli_credentials_set_anonymous(cred); + DEBUG(1, ("Could not open secrets.ldb\n")); + return NT_STATUS_CANT_ACCESS_DOMAIN_INFO; + } } /* search for the secret record */ @@ -327,7 +329,7 @@ NTSTATUS cli_credentials_set_machine_account(struct cli_credentials *cred) cred->machine_account_pending = False; filter = talloc_asprintf(cred, SECRETS_PRIMARY_DOMAIN_FILTER, cli_credentials_get_domain(cred)); - return cli_credentials_set_secrets(cred, SECRETS_PRIMARY_DOMAIN_DN, + return cli_credentials_set_secrets(cred, NULL, SECRETS_PRIMARY_DOMAIN_DN, filter); } @@ -347,7 +349,7 @@ NTSTATUS cli_credentials_set_krbtgt(struct cli_credentials *cred) filter = talloc_asprintf(cred, SECRETS_KRBTGT_SEARCH, cli_credentials_get_realm(cred), cli_credentials_get_domain(cred)); - return cli_credentials_set_secrets(cred, SECRETS_PRINCIPALS_DN, + return cli_credentials_set_secrets(cred, NULL, SECRETS_PRINCIPALS_DN, filter); } @@ -369,7 +371,7 @@ NTSTATUS cli_credentials_set_stored_principal(struct cli_credentials *cred, cli_credentials_get_realm(cred), cli_credentials_get_domain(cred), serviceprincipal); - return cli_credentials_set_secrets(cred, SECRETS_PRINCIPALS_DN, + return cli_credentials_set_secrets(cred, NULL, SECRETS_PRINCIPALS_DN, filter); } @@ -388,66 +390,3 @@ void cli_credentials_set_machine_account_pending(struct cli_credentials *cred) } -NTSTATUS cli_credentials_update_all_keytabs(TALLOC_CTX *parent_ctx) -{ - TALLOC_CTX *mem_ctx; - int ldb_ret; - struct ldb_context *ldb; - struct ldb_message **msgs; - const char *attrs[] = { NULL }; - struct cli_credentials *creds; - const char *filter; - NTSTATUS status; - int i, ret; - - mem_ctx = talloc_new(parent_ctx); - if (!mem_ctx) { - return NT_STATUS_NO_MEMORY; - } - - /* Local secrets are stored in secrets.ldb */ - ldb = secrets_db_connect(mem_ctx); - if (!ldb) { - DEBUG(1, ("Could not open secrets.ldb\n")); - talloc_free(mem_ctx); - return NT_STATUS_ACCESS_DENIED; - } - - /* search for the secret record, but only of things we can - * actually update */ - ldb_ret = gendb_search(ldb, - mem_ctx, NULL, - &msgs, attrs, - "(&(objectClass=kerberosSecret)(|(secret=*)(ntPwdHash=*)))"); - if (ldb_ret == -1) { - DEBUG(1, ("Error looking for kerberos type secrets to push into a keytab:: %s", ldb_errstring(ldb))); - talloc_free(mem_ctx); - return NT_STATUS_INTERNAL_DB_CORRUPTION; - } - - for (i=0; i < ldb_ret; i++) { - /* Make a credentials structure from it */ - creds = cli_credentials_init(mem_ctx); - if (!creds) { - DEBUG(1, ("cli_credentials_init failed!")); - talloc_free(mem_ctx); - return NT_STATUS_NO_MEMORY; - } - cli_credentials_set_conf(creds); - filter = talloc_asprintf(mem_ctx, "dn=%s", ldb_dn_get_linearized(msgs[i]->dn)); - status = cli_credentials_set_secrets(creds, NULL, filter); - if (!NT_STATUS_IS_OK(status)) { - DEBUG(1, ("Failed to read secrets for keytab update for %s\n", - filter)); - continue; - } - ret = cli_credentials_update_keytab(creds); - if (ret != 0) { - DEBUG(1, ("Failed to update keytab for %s\n", - filter)); - continue; - } - } - return NT_STATUS_OK; -} - |