diff options
author | Andrew Bartlett <abartlet@samba.org> | 2005-01-21 11:23:11 +0000 |
---|---|---|
committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 13:09:04 -0500 |
commit | 4962fd4f288eb58b491a42f5496a4e6185d42df8 (patch) | |
tree | eb505e5d0d42506c9dfd0d23698467128fec1b6b /source4/libcli/auth | |
parent | cda0a7e76e1862f403cd827e36f3e5624f5d6fa8 (diff) | |
download | samba-4962fd4f288eb58b491a42f5496a4e6185d42df8.tar.gz samba-4962fd4f288eb58b491a42f5496a4e6185d42df8.tar.bz2 samba-4962fd4f288eb58b491a42f5496a4e6185d42df8.zip |
r4893: Move to using secrets.ldb for the Kerberos verify, instead of
secrets.tdb from Samba3.
Andrew Bartlett
(This used to be commit 21bfda2a0d1c8373f8800269ed9b982e1b9a19e5)
Diffstat (limited to 'source4/libcli/auth')
-rw-r--r-- | source4/libcli/auth/kerberos_verify.c | 45 |
1 files changed, 33 insertions, 12 deletions
diff --git a/source4/libcli/auth/kerberos_verify.c b/source4/libcli/auth/kerberos_verify.c index 92980f1122..b089d633ed 100644 --- a/source4/libcli/auth/kerberos_verify.c +++ b/source4/libcli/auth/kerberos_verify.c @@ -26,6 +26,8 @@ #include "system/kerberos.h" #include "libcli/auth/kerberos.h" #include "asn_1.h" +#include "lib/ldb/include/ldb.h" +#include "secrets.h" #ifdef HAVE_KRB5 @@ -179,26 +181,46 @@ static krb5_error_code ads_secrets_verify_ticket(TALLOC_CTX *mem_ctx, krb5_conte krb5_keyblock *keyblock) { krb5_error_code ret = 0; - char *password_s = NULL; krb5_data password; krb5_enctype *enctypes = NULL; int i; - + const struct ldb_val *password_v; + struct ldb_wrap *ldb; + int ldb_ret; + struct ldb_message **msgs; + const char *base_dn = SECRETS_PRIMARY_DOMAIN_DN; + const char *attrs[] = { + "secret", + NULL + }; + ZERO_STRUCTP(keyblock); - if (!secrets_init()) { - DEBUG(1,("ads_secrets_verify_ticket: secrets_init failed\n")); - return KRB5_KT_END; + /* Local secrets are stored in secrets.ldb */ + ldb = secrets_db_connect(mem_ctx); + if (!ldb) { + return ENOENT; } - password_s = secrets_fetch_machine_password(lp_workgroup()); - if (!password_s) { - DEBUG(1,("ads_secrets_verify_ticket: failed to fetch machine password\n")); - return KRB5_KT_END; + /* search for the secret record */ + ldb_ret = samdb_search(ldb, + mem_ctx, base_dn, &msgs, attrs, + "(&(realm=%s)(objectclass=primaryDomain))", + lp_realm()); + if (ldb_ret == 0) { + DEBUG(1, ("Could not find domain join record for %s\n", + lp_realm())); + return ENOENT; + } else if (ldb_ret != 1) { + DEBUG(1, ("Found %d records matching cn=%s under DN %s\n", ldb_ret, + lp_realm(), base_dn)); + return ENOENT; } - password.data = password_s; - password.length = strlen(password_s); + password_v = ldb_msg_find_ldb_val(msgs[0], "secret"); + + password.data = password_v->data; + password.length = password_v->length; /* CIFS doesn't use addresses in tickets. This would break NAT. JRA */ @@ -247,7 +269,6 @@ static krb5_error_code ads_secrets_verify_ticket(TALLOC_CTX *mem_ctx, krb5_conte out: free_kerberos_etypes(context, enctypes); - SAFE_FREE(password_s); return ret; } |