diff options
-rw-r--r-- | source3/libads/disp_sec.c | 3 | ||||
-rw-r--r-- | source3/libads/krb5_setpw.c | 31 | ||||
-rw-r--r-- | source3/libads/ldap.c | 33 | ||||
-rw-r--r-- | source3/libads/sasl.c | 4 |
4 files changed, 35 insertions, 36 deletions
diff --git a/source3/libads/disp_sec.c b/source3/libads/disp_sec.c index a930fd6fe0..a7b0bf6f07 100644 --- a/source3/libads/disp_sec.c +++ b/source3/libads/disp_sec.c @@ -20,8 +20,6 @@ #include "includes.h" -#ifdef HAVE_ADS - static struct perm_mask_str { uint32 mask; char *str; @@ -158,5 +156,4 @@ void ads_disp_sd(SEC_DESC *sd) printf("-------------- End Of Security Descriptor\n"); } -#endif diff --git a/source3/libads/krb5_setpw.c b/source3/libads/krb5_setpw.c index a49b6cbe3b..8079c0953f 100644 --- a/source3/libads/krb5_setpw.c +++ b/source3/libads/krb5_setpw.c @@ -471,4 +471,35 @@ ADS_STATUS kerberos_set_password(const char *kpasswd_server, } +/** + * Set the machine account password + * @param ads connection to ads server + * @param hostname machine whose password is being set + * @param password new password + * @return status of password change + **/ +ADS_STATUS ads_set_machine_password(ADS_STRUCT *ads, + const char *hostname, + const char *password) +{ + ADS_STATUS status; + char *host = strdup(hostname); + char *principal; + + strlower(host); + + /* + we need to use the '$' form of the name here, as otherwise the + server might end up setting the password for a user instead + */ + asprintf(&principal, "%s$@%s", host, ads->auth.realm); + + status = krb5_set_password(ads->auth.kdc_server, principal, password, ads->auth.time_offset); + + free(host); + free(principal); + + return status; +} + #endif diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c index 1004ea229c..2133bf0719 100644 --- a/source3/libads/ldap.c +++ b/source3/libads/ldap.c @@ -22,7 +22,7 @@ #include "includes.h" -#ifdef HAVE_ADS +#ifdef HAVE_LDAP /** * @file ldap.c @@ -1444,37 +1444,6 @@ ads_set_sd_error: } /** - * Set the machine account password - * @param ads connection to ads server - * @param hostname machine whose password is being set - * @param password new password - * @return status of password change - **/ -ADS_STATUS ads_set_machine_password(ADS_STRUCT *ads, - const char *hostname, - const char *password) -{ - ADS_STATUS status; - char *host = strdup(hostname); - char *principal; - - strlower(host); - - /* - we need to use the '$' form of the name here, as otherwise the - server might end up setting the password for a user instead - */ - asprintf(&principal, "%s$@%s", host, ads->auth.realm); - - status = krb5_set_password(ads->auth.kdc_server, principal, password, ads->auth.time_offset); - - free(host); - free(principal); - - return status; -} - -/** * pull the first entry from a ADS result * @param ads connection to ads server * @param res Results of search diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c index f7dd01084a..aa7d99a5f7 100644 --- a/source3/libads/sasl.c +++ b/source3/libads/sasl.c @@ -20,7 +20,7 @@ #include "includes.h" -#ifdef HAVE_ADS +#ifdef HAVE_LDAP /* perform a LDAP/SASL/SPNEGO/NTLMSSP bind (just how many layers can @@ -190,10 +190,12 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads) } DEBUG(3,("got principal=%s\n", principal)); +#ifdef HAVE_KRB5 if (!(ads->auth.flags & ADS_AUTH_DISABLE_KERBEROS) && got_kerberos_mechanism && ads_kinit_password(ads) == 0) { return ads_sasl_spnego_krb5_bind(ads, principal); } +#endif /* lets do NTLMSSP ... this has the big advantage that we don't need to sync clocks, and we don't rely on special versions of the krb5 |