diff options
| author | Michael Adam <obnox@samba.org> | 2008-07-23 17:54:25 +0200 |
|---|---|---|
| committer | Michael Adam <obnox@samba.org> | 2008-07-23 18:01:02 +0200 |
| commit | c71030bd04eee5f50be56ac2460393dfbe2fdd23 (patch) | |
| tree | dbc6d2012bdf244115ae030828009b021b3077bb /source4/libnet/libnet_become_dc.c | |
| parent | 1f20ca14cc1a2604a7af41e6ca03852f0398d88a (diff) | |
| download | samba-c71030bd04eee5f50be56ac2460393dfbe2fdd23.tar.gz samba-c71030bd04eee5f50be56ac2460393dfbe2fdd23.tar.bz2 samba-c71030bd04eee5f50be56ac2460393dfbe2fdd23.zip | |
libnet_become_cd: add boolean option "become_dc:force krb5" to control krb5 auth.
This allows controlling whether krb5 auth is forced for the rpc bind in
libnet_become_dc. It defaults to "yes". For Windows 2000, DsGetNCChanges
only krb5 auth works due to a bug in Windows (it returns garbage - a
positive object count is returned along with first object == NULL).
For Windows 2008, on the other hand, krb5 auth does not work currently
due to the lack of support for AES keys. (Metze is working on that.)
Michael
(This used to be commit af85aad8147b85a0b9ea2ccc66b8f04efdfe5cf3)
Diffstat (limited to 'source4/libnet/libnet_become_dc.c')
| -rw-r--r-- | source4/libnet/libnet_become_dc.c | 28 |
1 files changed, 18 insertions, 10 deletions
diff --git a/source4/libnet/libnet_become_dc.c b/source4/libnet/libnet_become_dc.c index 6a13974236..8b7fd57780 100644 --- a/source4/libnet/libnet_become_dc.c +++ b/source4/libnet/libnet_become_dc.c @@ -1516,22 +1516,30 @@ static void becomeDC_drsuapi_connect_send(struct libnet_BecomeDC_state *s, drsuapi->s = s; if (!drsuapi->binding) { + char *krb5_str = ""; + char *print_str = ""; /* - * Note: It's important to pass 'krb5' as auth_type here - * otherwise the replication will not work with - * Windows 2000. If NTLMSSP is used Windows 2000 - * returns garbage in the DsGetNCChanges() response + * Note: Replication only works with Windows 2000 when 'krb5' is + * passed as auth_type here. If NTLMSSP is used, Windows + * 2000 returns garbage in the DsGetNCChanges() response * if encrypted password attributes would be in the response. * That means the replication of the schema and configuration * partition works fine, but it fails for the domain partition. */ - if (lp_parm_bool(s->libnet->lp_ctx, NULL, "become_dc", "print", false)) { - binding_str = talloc_asprintf(s, "ncacn_ip_tcp:%s[krb5,print,seal]", s->source_dsa.dns_name); - if (composite_nomem(binding_str, c)) return; - } else { - binding_str = talloc_asprintf(s, "ncacn_ip_tcp:%s[krb5,seal]", s->source_dsa.dns_name); - if (composite_nomem(binding_str, c)) return; + if (lp_parm_bool(s->libnet->lp_ctx, NULL, "become_dc", + "force krb5", true)) + { + krb5_str = "krb5,"; } + if (lp_parm_bool(s->libnet->lp_ctx, NULL, "become_dc", + "print", false)) + { + print_str = "print,"; + } + binding_str = talloc_asprintf(s, "ncacn_ip_tcp:%s[%s%sseal]", + s->source_dsa.dns_name, + krb5_str, print_str); + if (composite_nomem(binding_str, c)) return; c->status = dcerpc_parse_binding(s, binding_str, &drsuapi->binding); talloc_free(binding_str); if (!composite_is_ok(c)) return; |