summaryrefslogtreecommitdiff
path: root/source4/auth
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2008-07-15 20:27:43 +1000
committerAndrew Bartlett <abartlet@samba.org>2008-07-15 20:27:43 +1000
commitd904b71879cf980f602bfd400cf98396616c13e1 (patch)
treefaffbb30f594b04903813f5267bd0c7d01c5d575 /source4/auth
parentcc44b10c240e22a7db83c641a9015dad3ec2e0de (diff)
parent63d91e9ab0ecc1e80edff27ae09b249c68453106 (diff)
downloadsamba-d904b71879cf980f602bfd400cf98396616c13e1.tar.gz
samba-d904b71879cf980f602bfd400cf98396616c13e1.tar.bz2
samba-d904b71879cf980f602bfd400cf98396616c13e1.zip
Merge branch 'v4-0-test' of ssh://git.samba.org/data/git/samba into 4-0-local
(This used to be commit 7fb8179f214bbba95eb35d221cb9892b55afe121)
Diffstat (limited to 'source4/auth')
-rw-r--r--source4/auth/credentials/credentials_files.c48
-rw-r--r--source4/auth/ntlmssp/ntlmssp_client.c15
2 files changed, 48 insertions, 15 deletions
diff --git a/source4/auth/credentials/credentials_files.c b/source4/auth/credentials/credentials_files.c
index 05b0bf56a8..6c3bb2531e 100644
--- a/source4/auth/credentials/credentials_files.c
+++ b/source4/auth/credentials/credentials_files.c
@@ -194,6 +194,7 @@ _PUBLIC_ NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred,
"privateKeytab",
"krb5Keytab",
"servicePrincipalName",
+ "ldapBindDn",
NULL
};
@@ -221,6 +222,7 @@ _PUBLIC_ NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred,
/* set anonymous as the fallback, if the machine account won't work */
cli_credentials_set_anonymous(cred);
DEBUG(1, ("Could not open secrets.ldb\n"));
+ talloc_free(mem_ctx);
return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
}
}
@@ -231,14 +233,14 @@ _PUBLIC_ NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred,
&msgs, attrs,
"%s", filter);
if (ldb_ret == 0) {
- DEBUG(1, ("Could not find entry to match filter: '%s' base: '%s'\n",
+ DEBUG(5, ("(normal if no LDAP backend required) Could not find entry to match filter: '%s' base: '%s'\n",
filter, base));
/* set anonymous as the fallback, if the machine account won't work */
cli_credentials_set_anonymous(cred);
talloc_free(mem_ctx);
return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
} else if (ldb_ret != 1) {
- DEBUG(1, ("Found more than one (%d) entry to match filter: '%s' base: '%s'\n",
+ DEBUG(5, ("Found more than one (%d) entry to match filter: '%s' base: '%s'\n",
ldb_ret, filter, base));
/* set anonymous as the fallback, if the machine account won't work */
cli_credentials_set_anonymous(cred);
@@ -255,12 +257,15 @@ _PUBLIC_ NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred,
machine_account = ldb_msg_find_attr_as_string(msgs[0], "servicePrincipalName", NULL);
if (!machine_account) {
- DEBUG(1, ("Could not find 'samAccountName' in join record to domain: %s: filter: '%s' base: '%s'\n",
- cli_credentials_get_domain(cred), filter, base));
- /* set anonymous as the fallback, if the machine account won't work */
- cli_credentials_set_anonymous(cred);
- talloc_free(mem_ctx);
- return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
+ const char *ldap_bind_dn = ldb_msg_find_attr_as_string(msgs[0], "ldapBindDn", NULL);
+ if (!ldap_bind_dn) {
+ DEBUG(1, ("Could not find 'samAccountName', 'servicePrincipalName' or 'ldapBindDn' in secrets record: filter: '%s' base: '%s'\n",
+ filter, base));
+ /* set anonymous as the fallback, if the machine account won't work */
+ cli_credentials_set_anonymous(cred);
+ talloc_free(mem_ctx);
+ return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
+ }
}
}
@@ -299,7 +304,9 @@ _PUBLIC_ NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred,
cli_credentials_set_realm(cred, realm, CRED_SPECIFIED);
}
- cli_credentials_set_username(cred, machine_account, CRED_SPECIFIED);
+ if (machine_account) {
+ cli_credentials_set_username(cred, machine_account, CRED_SPECIFIED);
+ }
cli_credentials_set_kvno(cred, ldb_msg_find_attr_as_int(msgs[0], "msDS-KeyVersionNumber", 0));
@@ -332,6 +339,7 @@ _PUBLIC_ NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred,
_PUBLIC_ NTSTATUS cli_credentials_set_machine_account(struct cli_credentials *cred,
struct loadparm_context *lp_ctx)
{
+ NTSTATUS status;
char *filter;
/* Bleh, nasty recursion issues: We are setting a machine
* account here, so we don't want the 'pending' flag around
@@ -339,9 +347,13 @@ _PUBLIC_ NTSTATUS cli_credentials_set_machine_account(struct cli_credentials *cr
cred->machine_account_pending = false;
filter = talloc_asprintf(cred, SECRETS_PRIMARY_DOMAIN_FILTER,
cli_credentials_get_domain(cred));
- return cli_credentials_set_secrets(cred, event_context_find(cred), lp_ctx, NULL,
+ status = cli_credentials_set_secrets(cred, event_context_find(cred), lp_ctx, NULL,
SECRETS_PRIMARY_DOMAIN_DN,
filter);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(1, ("Could not find machine account in secrets database: %s", nt_errstr(status)));
+ }
+ return status;
}
/**
@@ -354,6 +366,7 @@ NTSTATUS cli_credentials_set_krbtgt(struct cli_credentials *cred,
struct event_context *event_ctx,
struct loadparm_context *lp_ctx)
{
+ NTSTATUS status;
char *filter;
/* Bleh, nasty recursion issues: We are setting a machine
* account here, so we don't want the 'pending' flag around
@@ -362,13 +375,17 @@ NTSTATUS cli_credentials_set_krbtgt(struct cli_credentials *cred,
filter = talloc_asprintf(cred, SECRETS_KRBTGT_SEARCH,
cli_credentials_get_realm(cred),
cli_credentials_get_domain(cred));
- return cli_credentials_set_secrets(cred, event_ctx, lp_ctx, NULL,
+ status = cli_credentials_set_secrets(cred, event_ctx, lp_ctx, NULL,
SECRETS_PRINCIPALS_DN,
filter);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(1, ("Could not find krbtgt (master Kerberos) account in secrets database: %s", nt_errstr(status)));
+ }
+ return status;
}
/**
- * Fill in credentials for the machine trust account, from the secrets database.
+ * Fill in credentials for a particular prinicpal, from the secrets database.
*
* @param cred Credentials structure to fill in
* @retval NTSTATUS error detailing any failure
@@ -378,6 +395,7 @@ _PUBLIC_ NTSTATUS cli_credentials_set_stored_principal(struct cli_credentials *c
struct loadparm_context *lp_ctx,
const char *serviceprincipal)
{
+ NTSTATUS status;
char *filter;
/* Bleh, nasty recursion issues: We are setting a machine
* account here, so we don't want the 'pending' flag around
@@ -387,8 +405,12 @@ _PUBLIC_ NTSTATUS cli_credentials_set_stored_principal(struct cli_credentials *c
cli_credentials_get_realm(cred),
cli_credentials_get_domain(cred),
serviceprincipal);
- return cli_credentials_set_secrets(cred, event_ctx, lp_ctx, NULL,
+ status = cli_credentials_set_secrets(cred, event_ctx, lp_ctx, NULL,
SECRETS_PRINCIPALS_DN, filter);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(1, ("Could not find %s principal in secrets database: %s", serviceprincipal, nt_errstr(status)));
+ }
+ return status;
}
/**
diff --git a/source4/auth/ntlmssp/ntlmssp_client.c b/source4/auth/ntlmssp/ntlmssp_client.c
index e07c64befb..891761860c 100644
--- a/source4/auth/ntlmssp/ntlmssp_client.c
+++ b/source4/auth/ntlmssp/ntlmssp_client.c
@@ -49,6 +49,17 @@ NTSTATUS ntlmssp_client_initial(struct gensec_security *gensec_security,
DATA_BLOB in, DATA_BLOB *out)
{
struct gensec_ntlmssp_state *gensec_ntlmssp_state = (struct gensec_ntlmssp_state *)gensec_security->private_data;
+ const char *domain = gensec_ntlmssp_state->domain;
+ const char *workstation = cli_credentials_get_workstation(gensec_security->credentials);
+
+ /* These don't really matter in the initial packet, so don't panic if they are not set */
+ if (!domain) {
+ domain = "";
+ }
+
+ if (!workstation) {
+ workstation = "";
+ }
if (gensec_ntlmssp_state->unicode) {
gensec_ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_UNICODE;
@@ -67,8 +78,8 @@ NTSTATUS ntlmssp_client_initial(struct gensec_security *gensec_security,
"NTLMSSP",
NTLMSSP_NEGOTIATE,
gensec_ntlmssp_state->neg_flags,
- gensec_ntlmssp_state->domain,
- cli_credentials_get_workstation(gensec_security->credentials));
+ domain,
+ workstation);
gensec_ntlmssp_state->expected_state = NTLMSSP_CHALLENGE;