summaryrefslogtreecommitdiff
path: root/source4/auth
diff options
context:
space:
mode:
Diffstat (limited to 'source4/auth')
-rw-r--r--source4/auth/credentials/credentials_files.c29
-rw-r--r--source4/auth/credentials/credentials_krb5.c14
-rw-r--r--source4/auth/kerberos/kerberos_util.c4
-rw-r--r--source4/auth/kerberos/krb5_init_context.c2
4 files changed, 29 insertions, 20 deletions
diff --git a/source4/auth/credentials/credentials_files.c b/source4/auth/credentials/credentials_files.c
index 219869cf3a..53350b8ed0 100644
--- a/source4/auth/credentials/credentials_files.c
+++ b/source4/auth/credentials/credentials_files.c
@@ -267,17 +267,12 @@ NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred,
cli_credentials_set_nt_hash(cred, &hash, CRED_SPECIFIED);
} else {
-
- DEBUG(1, ("Could not find 'secret' in join record to domain: %s\n",
- cli_credentials_get_domain(cred)));
-
- /* set anonymous as the fallback, if the machine account won't work */
- cli_credentials_set_anonymous(cred);
-
- talloc_free(mem_ctx);
- return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
+ cli_credentials_set_password(cred, NULL, CRED_SPECIFIED);
}
+ } else {
+ cli_credentials_set_password(cred, password, CRED_SPECIFIED);
}
+
domain = ldb_msg_find_string(msgs[0], "flatname", NULL);
if (domain) {
@@ -290,9 +285,6 @@ NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred,
}
cli_credentials_set_username(cred, machine_account, CRED_SPECIFIED);
- if (password) {
- cli_credentials_set_password(cred, password, CRED_SPECIFIED);
- }
cli_credentials_set_kvno(cred, ldb_msg_find_int(msgs[0], "msDS-KeyVersionNumber", 0));
@@ -417,13 +409,14 @@ NTSTATUS cli_credentials_update_all_keytabs(TALLOC_CTX *parent_ctx)
return NT_STATUS_ACCESS_DENIED;
}
- /* search for the secret record */
+ /* search for the secret record, but only of things we can
+ * actually update */
ldb_ret = gendb_search(ldb,
mem_ctx, NULL,
&msgs, attrs,
- "objectClass=kerberosSecret");
+ "(&(objectClass=kerberosSecret)(|(secret=*)(ntPwdHash=*)))");
if (ldb_ret == -1) {
- DEBUG(1, ("Error looking for kerberos type secrets to push into a keytab"));
+ DEBUG(1, ("Error looking for kerberos type secrets to push into a keytab:: %s", ldb_errstring(ldb)));
talloc_free(mem_ctx);
return NT_STATUS_INTERNAL_DB_CORRUPTION;
}
@@ -442,15 +435,13 @@ NTSTATUS cli_credentials_update_all_keytabs(TALLOC_CTX *parent_ctx)
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("Failed to read secrets for keytab update for %s\n",
filter));
- talloc_free(mem_ctx);
- return status;
+ continue;
}
ret = cli_credentials_update_keytab(creds);
if (ret != 0) {
DEBUG(1, ("Failed to update keytab for %s\n",
filter));
- talloc_free(mem_ctx);
- return NT_STATUS_UNSUCCESSFUL;
+ continue;
}
}
return NT_STATUS_OK;
diff --git a/source4/auth/credentials/credentials_krb5.c b/source4/auth/credentials/credentials_krb5.c
index 5f40ca1046..29b70d9a53 100644
--- a/source4/auth/credentials/credentials_krb5.c
+++ b/source4/auth/credentials/credentials_krb5.c
@@ -43,6 +43,20 @@ int cli_credentials_get_krb5_context(struct cli_credentials *cred,
return 0;
}
+/* This needs to be called directly after the cli_credentials_init(),
+ * otherwise we might have problems with the krb5 context already
+ * being here.
+ */
+NTSTATUS cli_credentials_set_krb5_context(struct cli_credentials *cred,
+ struct smb_krb5_context *smb_krb5_context)
+{
+ if (!talloc_reference(cred, smb_krb5_context)) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ cred->smb_krb5_context = smb_krb5_context;
+ return NT_STATUS_OK;
+}
+
int cli_credentials_set_from_ccache(struct cli_credentials *cred,
enum credentials_obtained obtained)
{
diff --git a/source4/auth/kerberos/kerberos_util.c b/source4/auth/kerberos/kerberos_util.c
index ad0e18b2e7..776b591ba4 100644
--- a/source4/auth/kerberos/kerberos_util.c
+++ b/source4/auth/kerberos/kerberos_util.c
@@ -397,9 +397,9 @@ static int create_keytab(TALLOC_CTX *parent_ctx,
const struct samr_Password *mach_pwd;
mach_pwd = cli_credentials_get_nt_hash(machine_account, mem_ctx);
if (!mach_pwd) {
- talloc_free(mem_ctx);
DEBUG(1, ("create_keytab: Domain trust informaton for account %s not available\n",
cli_credentials_get_principal(machine_account, mem_ctx)));
+ talloc_free(mem_ctx);
return EINVAL;
}
ret = krb5_keyblock_init(smb_krb5_context->krb5_context,
@@ -410,6 +410,7 @@ static int create_keytab(TALLOC_CTX *parent_ctx,
DEBUG(1, ("create_keytab: krb5_keyblock_init failed: %s\n",
smb_get_krb5_error_message(smb_krb5_context->krb5_context,
ret, mem_ctx)));
+ talloc_free(mem_ctx);
return ret;
}
@@ -516,6 +517,7 @@ static krb5_error_code remove_old_entries(TALLOC_CTX *parent_ctx,
switch (ret) {
case 0:
break;
+ case HEIM_ERR_OPNOTSUPP:
case ENOENT:
case KRB5_KT_END:
/* no point enumerating if there isn't anything here */
diff --git a/source4/auth/kerberos/krb5_init_context.c b/source4/auth/kerberos/krb5_init_context.c
index 8e52ac5e3f..830c803524 100644
--- a/source4/auth/kerberos/krb5_init_context.c
+++ b/source4/auth/kerberos/krb5_init_context.c
@@ -448,6 +448,8 @@ static void smb_krb5_send_and_recv_close_func(krb5_context context, void *data)
return ret;
}
+ (*smb_krb5_context)->krb5_context->mem_ctx = *smb_krb5_context;
+
talloc_steal(parent_ctx, *smb_krb5_context);
talloc_free(tmp_ctx);