summaryrefslogtreecommitdiff
path: root/source4/auth
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2005-12-14 07:22:25 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 13:47:22 -0500
commita1827a1deba04e0b4b2a508dc4e4e66603a46d16 (patch)
tree47e9a16077efa868d1e4368990dc158d32e8ffe0 /source4/auth
parent470ba9434a3f10f8a53bacaac89204700adb89c4 (diff)
downloadsamba-a1827a1deba04e0b4b2a508dc4e4e66603a46d16.tar.gz
samba-a1827a1deba04e0b4b2a508dc4e4e66603a46d16.tar.bz2
samba-a1827a1deba04e0b4b2a508dc4e4e66603a46d16.zip
r12227: I realised that I wasn't yet seeing authenticated LDAP for the ldb
backend. The idea is that every time we open an LDB, we can provide a session_info and/or credentials. This would allow any ldb to be remote to LDAP. We should also support provisioning to a authenticated ldap server. (They are separate so we can say authenticate as foo for remote, but here we just want a token of SYSTEM). Andrew Bartlett (This used to be commit ae2f3a64ee0b07575624120db45299c65204210b)
Diffstat (limited to 'source4/auth')
-rw-r--r--source4/auth/auth_util.c2
-rw-r--r--source4/auth/credentials/credentials.c4
-rw-r--r--source4/auth/credentials/credentials_files.c39
-rw-r--r--source4/auth/gensec/schannel_state.c3
4 files changed, 39 insertions, 9 deletions
diff --git a/source4/auth/auth_util.c b/source4/auth/auth_util.c
index 5a5e779bf1..dbedde9190 100644
--- a/source4/auth/auth_util.c
+++ b/source4/auth/auth_util.c
@@ -604,8 +604,6 @@ NTSTATUS auth_system_session_info(TALLOC_CTX *parent_ctx,
}
cli_credentials_set_conf(session_info->credentials);
- /* set anonymous as the fallback, if the machine account won't work */
- cli_credentials_set_anonymous(session_info->credentials);
cli_credentials_set_machine_account_pending(session_info->credentials);
*_session_info = session_info;
diff --git a/source4/auth/credentials/credentials.c b/source4/auth/credentials/credentials.c
index 22b7772182..0e37fdc4a6 100644
--- a/source4/auth/credentials/credentials.c
+++ b/source4/auth/credentials/credentials.c
@@ -171,6 +171,10 @@ BOOL cli_credentials_set_principal_callback(struct cli_credentials *cred,
BOOL cli_credentials_authentication_requested(struct cli_credentials *cred)
{
+ if (cred->machine_account_pending) {
+ cli_credentials_set_machine_account(cred);
+ }
+
if (cred->principal_obtained >= CRED_SPECIFIED) {
return True;
}
diff --git a/source4/auth/credentials/credentials_files.c b/source4/auth/credentials/credentials_files.c
index 6b3c77c4e3..1f7a7cf435 100644
--- a/source4/auth/credentials/credentials_files.c
+++ b/source4/auth/credentials/credentials_files.c
@@ -208,6 +208,8 @@ NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred,
/* Local secrets are stored in secrets.ldb */
ldb = secrets_db_connect(mem_ctx);
if (!ldb) {
+ /* set anonymous as the fallback, if the machine account won't work */
+ cli_credentials_set_anonymous(cred);
DEBUG(1, ("Could not open secrets.ldb\n"));
return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
}
@@ -220,11 +222,15 @@ NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred,
if (ldb_ret == 0) {
DEBUG(1, ("Could not find entry to match filter: %s\n",
filter));
+ /* set anonymous as the fallback, if the machine account won't work */
+ cli_credentials_set_anonymous(cred);
talloc_free(mem_ctx);
return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
} else if (ldb_ret != 1) {
DEBUG(1, ("Found more than one (%d) entry to match filter: %s\n",
ldb_ret, filter));
+ /* set anonymous as the fallback, if the machine account won't work */
+ cli_credentials_set_anonymous(cred);
talloc_free(mem_ctx);
return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
}
@@ -237,6 +243,8 @@ NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred,
if (!machine_account) {
DEBUG(1, ("Could not find 'samAccountName' in join record to domain: %s\n",
cli_credentials_get_domain(cred)));
+ /* set anonymous as the fallback, if the machine account won't work */
+ cli_credentials_set_anonymous(cred);
talloc_free(mem_ctx);
return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
}
@@ -262,6 +270,10 @@ NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred,
DEBUG(1, ("Could not find 'secret' in join record to domain: %s\n",
cli_credentials_get_domain(cred)));
+
+ /* set anonymous as the fallback, if the machine account won't work */
+ cli_credentials_set_anonymous(cred);
+
talloc_free(mem_ctx);
return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
}
@@ -312,7 +324,12 @@ NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred,
*/
NTSTATUS cli_credentials_set_machine_account(struct cli_credentials *cred)
{
- char *filter = talloc_asprintf(cred, SECRETS_PRIMARY_DOMAIN_FILTER,
+ char *filter;
+ /* Bleh, nasty recursion issues: We are setting a machine
+ * account here, so we don't want the 'pending' flag around
+ * any more */
+ cred->machine_account_pending = False;
+ filter = talloc_asprintf(cred, SECRETS_PRIMARY_DOMAIN_FILTER,
cli_credentials_get_domain(cred));
return cli_credentials_set_secrets(cred, SECRETS_PRIMARY_DOMAIN_DN,
filter);
@@ -326,7 +343,12 @@ NTSTATUS cli_credentials_set_machine_account(struct cli_credentials *cred)
*/
NTSTATUS cli_credentials_set_krbtgt(struct cli_credentials *cred)
{
- char *filter = talloc_asprintf(cred, SECRETS_KRBTGT_SEARCH,
+ char *filter;
+ /* Bleh, nasty recursion issues: We are setting a machine
+ * account here, so we don't want the 'pending' flag around
+ * any more */
+ cred->machine_account_pending = False;
+ filter = talloc_asprintf(cred, SECRETS_KRBTGT_SEARCH,
cli_credentials_get_realm(cred),
cli_credentials_get_domain(cred));
return cli_credentials_set_secrets(cred, SECRETS_PRINCIPALS_DN,
@@ -342,10 +364,15 @@ NTSTATUS cli_credentials_set_krbtgt(struct cli_credentials *cred)
NTSTATUS cli_credentials_set_stored_principal(struct cli_credentials *cred,
const char *serviceprincipal)
{
- char *filter = talloc_asprintf(cred, SECRETS_PRINCIPAL_SEARCH,
- cli_credentials_get_realm(cred),
- cli_credentials_get_domain(cred),
- serviceprincipal);
+ char *filter;
+ /* Bleh, nasty recursion issues: We are setting a machine
+ * account here, so we don't want the 'pending' flag around
+ * any more */
+ cred->machine_account_pending = False;
+ filter = talloc_asprintf(cred, SECRETS_PRINCIPAL_SEARCH,
+ cli_credentials_get_realm(cred),
+ cli_credentials_get_domain(cred),
+ serviceprincipal);
return cli_credentials_set_secrets(cred, SECRETS_PRINCIPALS_DN,
filter);
}
diff --git a/source4/auth/gensec/schannel_state.c b/source4/auth/gensec/schannel_state.c
index 83776c4187..8f9a8ef6b5 100644
--- a/source4/auth/gensec/schannel_state.c
+++ b/source4/auth/gensec/schannel_state.c
@@ -47,7 +47,8 @@ static struct ldb_context *schannel_db_connect(TALLOC_CTX *mem_ctx)
existed = file_exists(path);
- ldb = ldb_wrap_connect(mem_ctx, path, LDB_FLG_NOSYNC, NULL);
+ ldb = ldb_wrap_connect(mem_ctx, path, system_session(mem_ctx),
+ NULL, LDB_FLG_NOSYNC, NULL);
talloc_free(path);
if (!ldb) {
return NULL;