diff options
-rw-r--r-- | source3/Makefile.in | 8 | ||||
-rw-r--r-- | source3/nsswitch/winbindd.h | 5 | ||||
-rw-r--r-- | source3/nsswitch/winbindd_cm.c | 31 |
3 files changed, 39 insertions, 5 deletions
diff --git a/source3/Makefile.in b/source3/Makefile.in index ff9c9085f5..e5920600c5 100644 --- a/source3/Makefile.in +++ b/source3/Makefile.in @@ -439,7 +439,8 @@ WINBINDD_OBJ = \ $(GROUPDB_OBJ) $(PROFILE_OBJ) \ $(NECESSARY_BECAUSE_SAMBA_DEPENDENCIES_ARE_SO_BROKEN_OBJ) -WBINFO_OBJ = nsswitch/wbinfo.o libsmb/smbencrypt.o libsmb/smbdes.o +WBINFO_OBJ = nsswitch/wbinfo.o libsmb/smbencrypt.o libsmb/smbdes.o \ + passdb/secrets.o WINBIND_NSS_OBJ = nsswitch/winbind_nss.o nsswitch/wb_common.o @@ -713,10 +714,11 @@ nsswitch/pam_winbind.so: $(PAM_WINBIND_OBJ) bin/.dummy @echo Linking $@ @$(LINK) $(LDSHFLAGS) -o $@ $(PAM_WINBIND_OBJ) -bin/wbinfo: $(WBINFO_OBJ) $(PARAM_OBJ) $(LIB_OBJ) $(NOPROTO_OBJ) $(UBIQX_OBJ) bin/.dummy +bin/wbinfo: $(WBINFO_OBJ) $(PARAM_OBJ) $(LIB_OBJ) $(NOPROTO_OBJ) \ + $(UBIQX_OBJ) @BUILD_POPT@ bin/.dummy @echo Linking $@ @$(LINK) -o $@ $(WBINFO_OBJ) $(PARAM_OBJ) $(LIB_OBJ) $(NOPROTO_OBJ) \ - $(UBIQX_OBJ) $(LIBS) + $(UBIQX_OBJ) $(LIBS) @BUILD_POPT@ bin/pam_smbpass.@SHLIBEXT@: $(PAM_SMBPASS_PICOOBJ) @echo "Linking shared library $@" diff --git a/source3/nsswitch/winbindd.h b/source3/nsswitch/winbindd.h index 40514cc83a..2a6fa22961 100644 --- a/source3/nsswitch/winbindd.h +++ b/source3/nsswitch/winbindd.h @@ -194,4 +194,9 @@ typedef struct { #define SETENV(name, value, overwrite) ; #endif +/* Authenticated user info is stored in secrets.tdb under these keys */ + +#define SECRETS_AUTH_USER "SECRETS/AUTH_USER" +#define SECRETS_AUTH_PASSWORD "SECRETS/AUTH_PASSWORD" + #endif /* _WINBINDD_H */ diff --git a/source3/nsswitch/winbindd_cm.c b/source3/nsswitch/winbindd_cm.c index 987b28e09c..31ab61a7de 100644 --- a/source3/nsswitch/winbindd_cm.c +++ b/source3/nsswitch/winbindd_cm.c @@ -182,6 +182,34 @@ static BOOL cm_get_dc_name(char *domain, fstring srv_name) return True; } +/* Choose between anonymous or authenticated connections. We need to use + an authenticated connection if DCs have the RestrictAnonymous registry + entry set > 0, or the "Additional restrictions for anonymous + connections" set in the win2k Local Security Policy. */ + +void cm_init_creds(struct ntuser_creds *creds) +{ + char *username, *password; + + ZERO_STRUCTP(creds); + + creds->pwd.null_pwd = True; /* anonymoose */ + + username = secrets_fetch(SECRETS_AUTH_USER, NULL); + password = secrets_fetch(SECRETS_AUTH_PASSWORD, NULL); + + if (username && *username) { + pwd_set_cleartext(&creds->pwd, password); + + fstrcpy(creds->user_name, username); + fstrcpy(creds->domain, lp_workgroup()); + + DEBUG(3, ("IPC$ connections done %s\\%s\n", creds->domain, + creds->user_name)); + } else + DEBUG(3, ("IPC$ connections done anonymously\n")); +} + /* Open a new smb pipe connection to a DC on a given domain. Cache negative creation attempts so we don't try and connect to broken machines too often. */ @@ -257,8 +285,7 @@ static BOOL cm_open_connection(char *domain, char *pipe_name, make_nmb_name(&called, dns_to_netbios_name(new_conn->controller), 0x20); make_nmb_name(&calling, dns_to_netbios_name(global_myname), 0); - ZERO_STRUCT(creds); - creds.pwd.null_pwd = 1; + cm_init_creds(&creds); cli_init_creds(new_conn->cli, &creds); |