summaryrefslogtreecommitdiff
path: root/source4/libnet
diff options
context:
space:
mode:
authorMichael Adam <obnox@samba.org>2008-07-23 17:54:25 +0200
committerMichael Adam <obnox@samba.org>2008-07-23 18:01:02 +0200
commitc71030bd04eee5f50be56ac2460393dfbe2fdd23 (patch)
treedbc6d2012bdf244115ae030828009b021b3077bb /source4/libnet
parent1f20ca14cc1a2604a7af41e6ca03852f0398d88a (diff)
downloadsamba-c71030bd04eee5f50be56ac2460393dfbe2fdd23.tar.gz
samba-c71030bd04eee5f50be56ac2460393dfbe2fdd23.tar.bz2
samba-c71030bd04eee5f50be56ac2460393dfbe2fdd23.zip
libnet_become_cd: add boolean option "become_dc:force krb5" to control krb5 auth.
This allows controlling whether krb5 auth is forced for the rpc bind in libnet_become_dc. It defaults to "yes". For Windows 2000, DsGetNCChanges only krb5 auth works due to a bug in Windows (it returns garbage - a positive object count is returned along with first object == NULL). For Windows 2008, on the other hand, krb5 auth does not work currently due to the lack of support for AES keys. (Metze is working on that.) Michael (This used to be commit af85aad8147b85a0b9ea2ccc66b8f04efdfe5cf3)
Diffstat (limited to 'source4/libnet')
-rw-r--r--source4/libnet/libnet_become_dc.c28
1 files changed, 18 insertions, 10 deletions
diff --git a/source4/libnet/libnet_become_dc.c b/source4/libnet/libnet_become_dc.c
index 6a13974236..8b7fd57780 100644
--- a/source4/libnet/libnet_become_dc.c
+++ b/source4/libnet/libnet_become_dc.c
@@ -1516,22 +1516,30 @@ static void becomeDC_drsuapi_connect_send(struct libnet_BecomeDC_state *s,
drsuapi->s = s;
if (!drsuapi->binding) {
+ char *krb5_str = "";
+ char *print_str = "";
/*
- * Note: It's important to pass 'krb5' as auth_type here
- * otherwise the replication will not work with
- * Windows 2000. If NTLMSSP is used Windows 2000
- * returns garbage in the DsGetNCChanges() response
+ * Note: Replication only works with Windows 2000 when 'krb5' is
+ * passed as auth_type here. If NTLMSSP is used, Windows
+ * 2000 returns garbage in the DsGetNCChanges() response
* if encrypted password attributes would be in the response.
* That means the replication of the schema and configuration
* partition works fine, but it fails for the domain partition.
*/
- if (lp_parm_bool(s->libnet->lp_ctx, NULL, "become_dc", "print", false)) {
- binding_str = talloc_asprintf(s, "ncacn_ip_tcp:%s[krb5,print,seal]", s->source_dsa.dns_name);
- if (composite_nomem(binding_str, c)) return;
- } else {
- binding_str = talloc_asprintf(s, "ncacn_ip_tcp:%s[krb5,seal]", s->source_dsa.dns_name);
- if (composite_nomem(binding_str, c)) return;
+ if (lp_parm_bool(s->libnet->lp_ctx, NULL, "become_dc",
+ "force krb5", true))
+ {
+ krb5_str = "krb5,";
}
+ if (lp_parm_bool(s->libnet->lp_ctx, NULL, "become_dc",
+ "print", false))
+ {
+ print_str = "print,";
+ }
+ binding_str = talloc_asprintf(s, "ncacn_ip_tcp:%s[%s%sseal]",
+ s->source_dsa.dns_name,
+ krb5_str, print_str);
+ if (composite_nomem(binding_str, c)) return;
c->status = dcerpc_parse_binding(s, binding_str, &drsuapi->binding);
talloc_free(binding_str);
if (!composite_is_ok(c)) return;