diff options
Diffstat (limited to 'source4/auth')
-rw-r--r-- | source4/auth/auth_util.c | 2 | ||||
-rw-r--r-- | source4/auth/credentials/credentials.c | 4 | ||||
-rw-r--r-- | source4/auth/credentials/credentials_files.c | 39 | ||||
-rw-r--r-- | source4/auth/gensec/schannel_state.c | 3 |
4 files changed, 39 insertions, 9 deletions
diff --git a/source4/auth/auth_util.c b/source4/auth/auth_util.c index 5a5e779bf1..dbedde9190 100644 --- a/source4/auth/auth_util.c +++ b/source4/auth/auth_util.c @@ -604,8 +604,6 @@ NTSTATUS auth_system_session_info(TALLOC_CTX *parent_ctx, } cli_credentials_set_conf(session_info->credentials); - /* set anonymous as the fallback, if the machine account won't work */ - cli_credentials_set_anonymous(session_info->credentials); cli_credentials_set_machine_account_pending(session_info->credentials); *_session_info = session_info; diff --git a/source4/auth/credentials/credentials.c b/source4/auth/credentials/credentials.c index 22b7772182..0e37fdc4a6 100644 --- a/source4/auth/credentials/credentials.c +++ b/source4/auth/credentials/credentials.c @@ -171,6 +171,10 @@ BOOL cli_credentials_set_principal_callback(struct cli_credentials *cred, BOOL cli_credentials_authentication_requested(struct cli_credentials *cred) { + if (cred->machine_account_pending) { + cli_credentials_set_machine_account(cred); + } + if (cred->principal_obtained >= CRED_SPECIFIED) { return True; } diff --git a/source4/auth/credentials/credentials_files.c b/source4/auth/credentials/credentials_files.c index 6b3c77c4e3..1f7a7cf435 100644 --- a/source4/auth/credentials/credentials_files.c +++ b/source4/auth/credentials/credentials_files.c @@ -208,6 +208,8 @@ NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred, /* Local secrets are stored in secrets.ldb */ ldb = secrets_db_connect(mem_ctx); if (!ldb) { + /* set anonymous as the fallback, if the machine account won't work */ + cli_credentials_set_anonymous(cred); DEBUG(1, ("Could not open secrets.ldb\n")); return NT_STATUS_CANT_ACCESS_DOMAIN_INFO; } @@ -220,11 +222,15 @@ NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred, if (ldb_ret == 0) { DEBUG(1, ("Could not find entry to match filter: %s\n", filter)); + /* set anonymous as the fallback, if the machine account won't work */ + cli_credentials_set_anonymous(cred); talloc_free(mem_ctx); return NT_STATUS_CANT_ACCESS_DOMAIN_INFO; } else if (ldb_ret != 1) { DEBUG(1, ("Found more than one (%d) entry to match filter: %s\n", ldb_ret, filter)); + /* set anonymous as the fallback, if the machine account won't work */ + cli_credentials_set_anonymous(cred); talloc_free(mem_ctx); return NT_STATUS_CANT_ACCESS_DOMAIN_INFO; } @@ -237,6 +243,8 @@ NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred, if (!machine_account) { DEBUG(1, ("Could not find 'samAccountName' in join record to domain: %s\n", cli_credentials_get_domain(cred))); + /* set anonymous as the fallback, if the machine account won't work */ + cli_credentials_set_anonymous(cred); talloc_free(mem_ctx); return NT_STATUS_CANT_ACCESS_DOMAIN_INFO; } @@ -262,6 +270,10 @@ NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred, DEBUG(1, ("Could not find 'secret' in join record to domain: %s\n", cli_credentials_get_domain(cred))); + + /* set anonymous as the fallback, if the machine account won't work */ + cli_credentials_set_anonymous(cred); + talloc_free(mem_ctx); return NT_STATUS_CANT_ACCESS_DOMAIN_INFO; } @@ -312,7 +324,12 @@ NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred, */ NTSTATUS cli_credentials_set_machine_account(struct cli_credentials *cred) { - char *filter = talloc_asprintf(cred, SECRETS_PRIMARY_DOMAIN_FILTER, + char *filter; + /* Bleh, nasty recursion issues: We are setting a machine + * account here, so we don't want the 'pending' flag around + * any more */ + cred->machine_account_pending = False; + filter = talloc_asprintf(cred, SECRETS_PRIMARY_DOMAIN_FILTER, cli_credentials_get_domain(cred)); return cli_credentials_set_secrets(cred, SECRETS_PRIMARY_DOMAIN_DN, filter); @@ -326,7 +343,12 @@ NTSTATUS cli_credentials_set_machine_account(struct cli_credentials *cred) */ NTSTATUS cli_credentials_set_krbtgt(struct cli_credentials *cred) { - char *filter = talloc_asprintf(cred, SECRETS_KRBTGT_SEARCH, + char *filter; + /* Bleh, nasty recursion issues: We are setting a machine + * account here, so we don't want the 'pending' flag around + * any more */ + cred->machine_account_pending = False; + filter = talloc_asprintf(cred, SECRETS_KRBTGT_SEARCH, cli_credentials_get_realm(cred), cli_credentials_get_domain(cred)); return cli_credentials_set_secrets(cred, SECRETS_PRINCIPALS_DN, @@ -342,10 +364,15 @@ NTSTATUS cli_credentials_set_krbtgt(struct cli_credentials *cred) NTSTATUS cli_credentials_set_stored_principal(struct cli_credentials *cred, const char *serviceprincipal) { - char *filter = talloc_asprintf(cred, SECRETS_PRINCIPAL_SEARCH, - cli_credentials_get_realm(cred), - cli_credentials_get_domain(cred), - serviceprincipal); + char *filter; + /* Bleh, nasty recursion issues: We are setting a machine + * account here, so we don't want the 'pending' flag around + * any more */ + cred->machine_account_pending = False; + filter = talloc_asprintf(cred, SECRETS_PRINCIPAL_SEARCH, + cli_credentials_get_realm(cred), + cli_credentials_get_domain(cred), + serviceprincipal); return cli_credentials_set_secrets(cred, SECRETS_PRINCIPALS_DN, filter); } diff --git a/source4/auth/gensec/schannel_state.c b/source4/auth/gensec/schannel_state.c index 83776c4187..8f9a8ef6b5 100644 --- a/source4/auth/gensec/schannel_state.c +++ b/source4/auth/gensec/schannel_state.c @@ -47,7 +47,8 @@ static struct ldb_context *schannel_db_connect(TALLOC_CTX *mem_ctx) existed = file_exists(path); - ldb = ldb_wrap_connect(mem_ctx, path, LDB_FLG_NOSYNC, NULL); + ldb = ldb_wrap_connect(mem_ctx, path, system_session(mem_ctx), + NULL, LDB_FLG_NOSYNC, NULL); talloc_free(path); if (!ldb) { return NULL; |