diff options
Diffstat (limited to 'source3/nsswitch/winbindd_pam.c')
-rw-r--r-- | source3/nsswitch/winbindd_pam.c | 15 |
1 files changed, 14 insertions, 1 deletions
diff --git a/source3/nsswitch/winbindd_pam.c b/source3/nsswitch/winbindd_pam.c index 558f418d94..4dc08c6086 100644 --- a/source3/nsswitch/winbindd_pam.c +++ b/source3/nsswitch/winbindd_pam.c @@ -55,6 +55,8 @@ enum winbindd_result winbindd_pam_auth(struct winbindd_cli_state *state) BOOL result; fstring name_domain, name_user; int passlen; + unsigned char trust_passwd[16]; + time_t last_change_time; unsigned char local_lm_response[24]; unsigned char local_nt_response[24]; @@ -113,12 +115,23 @@ enum winbindd_result winbindd_pam_auth(struct winbindd_cli_state *state) return WINBINDD_ERROR; } + /* + * Get the machine account password for our primary domain + */ + + if (!secrets_fetch_trust_account_password(lp_workgroup(), trust_passwd, &last_change_time)) + { + DEBUG(0, ("winbindd_pam_auth: could not fetch trust account password for domain %s\n", lp_workgroup())); + return WINBINDD_ERROR; + } + /* So domain_client_validate() actually opens a new connection for each authentication performed. This can theoretically be optimised to use an already open IPC$ connection. */ result = (domain_client_validate(&user_info, &server_info, - server_state.controller) == NT_STATUS_NOPROBLEMO); + server_state.controller, trust_passwd, + last_change_time) == NT_STATUS_NOPROBLEMO); return result ? WINBINDD_OK : WINBINDD_ERROR; } |