summaryrefslogtreecommitdiff
path: root/source4/auth
diff options
context:
space:
mode:
Diffstat (limited to 'source4/auth')
-rw-r--r--source4/auth/credentials/credentials.c23
-rw-r--r--source4/auth/credentials/credentials.h2
-rw-r--r--source4/auth/credentials/credentials_files.c16
-rw-r--r--source4/auth/credentials/credentials_krb5.c36
-rw-r--r--source4/auth/gensec/gensec_gssapi.c5
-rw-r--r--source4/auth/gensec/gensec_krb5.c4
-rw-r--r--source4/auth/system_session.c2
7 files changed, 54 insertions, 34 deletions
diff --git a/source4/auth/credentials/credentials.c b/source4/auth/credentials/credentials.c
index e7f2280bc9..6d5c1210c9 100644
--- a/source4/auth/credentials/credentials.c
+++ b/source4/auth/credentials/credentials.c
@@ -118,7 +118,8 @@ uint32_t cli_credentials_get_gensec_features(struct cli_credentials *creds)
const char *cli_credentials_get_username(struct cli_credentials *cred)
{
if (cred->machine_account_pending) {
- cli_credentials_set_machine_account(cred);
+ cli_credentials_set_machine_account(cred,
+ cred->machine_account_pending_lp_ctx);
}
if (cred->username_obtained == CRED_CALLBACK &&
@@ -186,7 +187,8 @@ const char *cli_credentials_get_bind_dn(struct cli_credentials *cred)
const char *cli_credentials_get_principal(struct cli_credentials *cred, TALLOC_CTX *mem_ctx)
{
if (cred->machine_account_pending) {
- cli_credentials_set_machine_account(cred);
+ cli_credentials_set_machine_account(cred,
+ cred->machine_account_pending_lp_ctx);
}
if (cred->principal_obtained == CRED_CALLBACK &&
@@ -276,7 +278,8 @@ bool cli_credentials_authentication_requested(struct cli_credentials *cred)
const char *cli_credentials_get_password(struct cli_credentials *cred)
{
if (cred->machine_account_pending) {
- cli_credentials_set_machine_account(cred);
+ cli_credentials_set_machine_account(cred,
+ cred->machine_account_pending_lp_ctx);
}
if (cred->password_obtained == CRED_CALLBACK &&
@@ -331,7 +334,8 @@ bool cli_credentials_set_password_callback(struct cli_credentials *cred,
const char *cli_credentials_get_old_password(struct cli_credentials *cred)
{
if (cred->machine_account_pending) {
- cli_credentials_set_machine_account(cred);
+ cli_credentials_set_machine_account(cred,
+ cred->machine_account_pending_lp_ctx);
}
return cred->old_password;
@@ -400,7 +404,8 @@ bool cli_credentials_set_nt_hash(struct cli_credentials *cred,
const char *cli_credentials_get_domain(struct cli_credentials *cred)
{
if (cred->machine_account_pending) {
- cli_credentials_set_machine_account(cred);
+ cli_credentials_set_machine_account(cred,
+ cred->machine_account_pending_lp_ctx);
}
if (cred->domain_obtained == CRED_CALLBACK &&
@@ -454,7 +459,8 @@ bool cli_credentials_set_domain_callback(struct cli_credentials *cred,
const char *cli_credentials_get_realm(struct cli_credentials *cred)
{
if (cred->machine_account_pending) {
- cli_credentials_set_machine_account(cred);
+ cli_credentials_set_machine_account(cred,
+ cred->machine_account_pending_lp_ctx);
}
if (cred->realm_obtained == CRED_CALLBACK &&
@@ -669,7 +675,7 @@ void cli_credentials_guess(struct cli_credentials *cred,
}
if (cli_credentials_get_kerberos_state(cred) != CRED_DONT_USE_KERBEROS) {
- cli_credentials_set_ccache(cred, NULL, CRED_GUESS_FILE);
+ cli_credentials_set_ccache(cred, lp_ctx, NULL, CRED_GUESS_FILE);
}
}
@@ -733,7 +739,8 @@ bool cli_credentials_is_anonymous(struct cli_credentials *cred)
const char *username;
if (cred->machine_account_pending) {
- cli_credentials_set_machine_account(cred);
+ cli_credentials_set_machine_account(cred,
+ cred->machine_account_pending_lp_ctx);
}
username = cli_credentials_get_username(cred);
diff --git a/source4/auth/credentials/credentials.h b/source4/auth/credentials/credentials.h
index 7ea37e40d1..e00acf727a 100644
--- a/source4/auth/credentials/credentials.h
+++ b/source4/auth/credentials/credentials.h
@@ -104,8 +104,8 @@ struct cli_credentials {
/* We are flagged to get machine account details from the
* secrets.ldb when we are asked for a username or password */
-
bool machine_account_pending;
+ struct loadparm_context *machine_account_pending_lp_ctx;
/* Is this a machine account? */
bool machine_account;
diff --git a/source4/auth/credentials/credentials_files.c b/source4/auth/credentials/credentials_files.c
index e7435f56f8..c1001c9622 100644
--- a/source4/auth/credentials/credentials_files.c
+++ b/source4/auth/credentials/credentials_files.c
@@ -305,13 +305,13 @@ NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred,
* (chewing CPU time) from the password */
keytab = ldb_msg_find_attr_as_string(msgs[0], "krb5Keytab", NULL);
if (keytab) {
- cli_credentials_set_keytab_name(cred, keytab, CRED_SPECIFIED);
+ cli_credentials_set_keytab_name(cred, lp_ctx, keytab, CRED_SPECIFIED);
} else {
keytab = ldb_msg_find_attr_as_string(msgs[0], "privateKeytab", NULL);
if (keytab) {
keytab = talloc_asprintf(mem_ctx, "FILE:%s", private_path(mem_ctx, lp_ctx, keytab));
if (keytab) {
- cli_credentials_set_keytab_name(cred, keytab, CRED_SPECIFIED);
+ cli_credentials_set_keytab_name(cred, lp_ctx, keytab, CRED_SPECIFIED);
}
}
}
@@ -326,7 +326,8 @@ NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred,
* @param cred Credentials structure to fill in
* @retval NTSTATUS error detailing any failure
*/
-NTSTATUS cli_credentials_set_machine_account(struct cli_credentials *cred)
+NTSTATUS cli_credentials_set_machine_account(struct cli_credentials *cred,
+ struct loadparm_context *lp_ctx)
{
char *filter;
/* Bleh, nasty recursion issues: We are setting a machine
@@ -335,7 +336,7 @@ NTSTATUS cli_credentials_set_machine_account(struct cli_credentials *cred)
cred->machine_account_pending = false;
filter = talloc_asprintf(cred, SECRETS_PRIMARY_DOMAIN_FILTER,
cli_credentials_get_domain(cred));
- return cli_credentials_set_secrets(cred, global_loadparm, NULL,
+ return cli_credentials_set_secrets(cred, lp_ctx, NULL,
SECRETS_PRIMARY_DOMAIN_DN,
filter);
}
@@ -369,6 +370,7 @@ NTSTATUS cli_credentials_set_krbtgt(struct cli_credentials *cred,
* @retval NTSTATUS error detailing any failure
*/
NTSTATUS cli_credentials_set_stored_principal(struct cli_credentials *cred,
+ struct loadparm_context *lp_ctx,
const char *serviceprincipal)
{
char *filter;
@@ -380,7 +382,7 @@ NTSTATUS cli_credentials_set_stored_principal(struct cli_credentials *cred,
cli_credentials_get_realm(cred),
cli_credentials_get_domain(cred),
serviceprincipal);
- return cli_credentials_set_secrets(cred, global_loadparm, NULL,
+ return cli_credentials_set_secrets(cred, lp_ctx, NULL,
SECRETS_PRINCIPALS_DN, filter);
}
@@ -393,9 +395,11 @@ NTSTATUS cli_credentials_set_stored_principal(struct cli_credentials *cred,
* than during, popt processing.
*
*/
-void cli_credentials_set_machine_account_pending(struct cli_credentials *cred)
+void cli_credentials_set_machine_account_pending(struct cli_credentials *cred,
+ struct loadparm_context *lp_ctx)
{
cred->machine_account_pending = true;
+ cred->machine_account_pending_lp_ctx = lp_ctx;
}
diff --git a/source4/auth/credentials/credentials_krb5.c b/source4/auth/credentials/credentials_krb5.c
index cfdc2e3f5a..90b196e99e 100644
--- a/source4/auth/credentials/credentials_krb5.c
+++ b/source4/auth/credentials/credentials_krb5.c
@@ -127,6 +127,7 @@ static int free_dccache(struct ccache_container *ccc) {
}
int cli_credentials_set_ccache(struct cli_credentials *cred,
+ struct loadparm_context *lp_ctx,
const char *name,
enum credentials_obtained obtained)
{
@@ -142,7 +143,7 @@ int cli_credentials_set_ccache(struct cli_credentials *cred,
return ENOMEM;
}
- ret = cli_credentials_get_krb5_context(cred, global_loadparm,
+ ret = cli_credentials_get_krb5_context(cred, lp_ctx,
&ccc->smb_krb5_context);
if (ret) {
talloc_free(ccc);
@@ -201,6 +202,7 @@ int cli_credentials_set_ccache(struct cli_credentials *cred,
static int cli_credentials_new_ccache(struct cli_credentials *cred,
+ struct loadparm_context *lp_ctx,
struct ccache_container **_ccc)
{
krb5_error_code ret;
@@ -218,7 +220,7 @@ static int cli_credentials_new_ccache(struct cli_credentials *cred,
return ENOMEM;
}
- ret = cli_credentials_get_krb5_context(cred, global_loadparm,
+ ret = cli_credentials_get_krb5_context(cred, lp_ctx,
&ccc->smb_krb5_context);
if (ret) {
talloc_free(ccc);
@@ -250,12 +252,13 @@ static int cli_credentials_new_ccache(struct cli_credentials *cred,
}
int cli_credentials_get_ccache(struct cli_credentials *cred,
+ struct loadparm_context *lp_ctx,
struct ccache_container **ccc)
{
krb5_error_code ret;
if (cred->machine_account_pending) {
- cli_credentials_set_machine_account(cred);
+ cli_credentials_set_machine_account(cred, lp_ctx);
}
if (cred->ccache_obtained >= cred->ccache_threshold &&
@@ -267,7 +270,7 @@ int cli_credentials_get_ccache(struct cli_credentials *cred,
return EINVAL;
}
- ret = cli_credentials_new_ccache(cred, ccc);
+ ret = cli_credentials_new_ccache(cred, lp_ctx, ccc);
if (ret) {
return ret;
}
@@ -344,6 +347,7 @@ static int free_gssapi_creds(struct gssapi_creds_container *gcc)
}
int cli_credentials_get_client_gss_creds(struct cli_credentials *cred,
+ struct loadparm_context *lp_ctx,
struct gssapi_creds_container **_gcc)
{
int ret = 0;
@@ -355,7 +359,7 @@ int cli_credentials_get_client_gss_creds(struct cli_credentials *cred,
*_gcc = cred->client_gss_creds;
return 0;
}
- ret = cli_credentials_get_ccache(cred,
+ ret = cli_credentials_get_ccache(cred, lp_ctx,
&ccache);
if (ret) {
DEBUG(1, ("Failed to get CCACHE for GSSAPI client: %s\n", error_message(ret)));
@@ -397,6 +401,7 @@ int cli_credentials_get_client_gss_creds(struct cli_credentials *cred,
*/
int cli_credentials_set_client_gss_creds(struct cli_credentials *cred,
+ struct loadparm_context *lp_ctx,
gss_cred_id_t gssapi_cred,
enum credentials_obtained obtained)
{
@@ -413,7 +418,7 @@ int cli_credentials_set_client_gss_creds(struct cli_credentials *cred,
return ENOMEM;
}
- ret = cli_credentials_new_ccache(cred, &ccc);
+ ret = cli_credentials_new_ccache(cred, lp_ctx, &ccc);
if (ret != 0) {
return ret;
}
@@ -450,6 +455,7 @@ int cli_credentials_set_client_gss_creds(struct cli_credentials *cred,
* it will be generated from the password.
*/
int cli_credentials_get_keytab(struct cli_credentials *cred,
+ struct loadparm_context *lp_ctx,
struct keytab_container **_ktc)
{
krb5_error_code ret;
@@ -468,7 +474,7 @@ int cli_credentials_get_keytab(struct cli_credentials *cred,
return EINVAL;
}
- ret = cli_credentials_get_krb5_context(cred, global_loadparm,
+ ret = cli_credentials_get_krb5_context(cred, lp_ctx,
&smb_krb5_context);
if (ret) {
return ret;
@@ -503,6 +509,7 @@ int cli_credentials_get_keytab(struct cli_credentials *cred,
* FILE:/etc/krb5.keytab), open it and attach it */
int cli_credentials_set_keytab_name(struct cli_credentials *cred,
+ struct loadparm_context *lp_ctx,
const char *keytab_name,
enum credentials_obtained obtained)
{
@@ -515,7 +522,7 @@ int cli_credentials_set_keytab_name(struct cli_credentials *cred,
return 0;
}
- ret = cli_credentials_get_krb5_context(cred, global_loadparm, &smb_krb5_context);
+ ret = cli_credentials_get_krb5_context(cred, lp_ctx, &smb_krb5_context);
if (ret) {
return ret;
}
@@ -540,7 +547,8 @@ int cli_credentials_set_keytab_name(struct cli_credentials *cred,
return ret;
}
-int cli_credentials_update_keytab(struct cli_credentials *cred)
+int cli_credentials_update_keytab(struct cli_credentials *cred,
+ struct loadparm_context *lp_ctx)
{
krb5_error_code ret;
struct keytab_container *ktc;
@@ -553,7 +561,7 @@ int cli_credentials_update_keytab(struct cli_credentials *cred)
return ENOMEM;
}
- ret = cli_credentials_get_krb5_context(cred, global_loadparm, &smb_krb5_context);
+ ret = cli_credentials_get_krb5_context(cred, lp_ctx, &smb_krb5_context);
if (ret) {
talloc_free(mem_ctx);
return ret;
@@ -561,7 +569,7 @@ int cli_credentials_update_keytab(struct cli_credentials *cred)
enctype_strings = cli_credentials_get_enctype_strings(cred);
- ret = cli_credentials_get_keytab(cred, &ktc);
+ ret = cli_credentials_get_keytab(cred, lp_ctx, &ktc);
if (ret != 0) {
talloc_free(mem_ctx);
return ret;
@@ -576,6 +584,7 @@ int cli_credentials_update_keytab(struct cli_credentials *cred)
/* Get server gss credentials (in gsskrb5, this means the keytab) */
int cli_credentials_get_server_gss_creds(struct cli_credentials *cred,
+ struct loadparm_context *lp_ctx,
struct gssapi_creds_container **_gcc)
{
int ret = 0;
@@ -593,13 +602,12 @@ int cli_credentials_get_server_gss_creds(struct cli_credentials *cred,
return 0;
}
- ret = cli_credentials_get_krb5_context(cred, global_loadparm, &smb_krb5_context);
+ ret = cli_credentials_get_krb5_context(cred, lp_ctx, &smb_krb5_context);
if (ret) {
return ret;
}
- ret = cli_credentials_get_keytab(cred,
- &ktc);
+ ret = cli_credentials_get_keytab(cred, lp_ctx, &ktc);
if (ret) {
DEBUG(1, ("Failed to get keytab for GSSAPI server: %s\n", error_message(ret)));
return ret;
diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c
index bb71a55073..87fa47646b 100644
--- a/source4/auth/gensec/gensec_gssapi.c
+++ b/source4/auth/gensec/gensec_gssapi.c
@@ -271,7 +271,7 @@ static NTSTATUS gensec_gssapi_server_start(struct gensec_security *gensec_securi
DEBUG(3, ("No machine account credentials specified\n"));
return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
} else {
- ret = cli_credentials_get_server_gss_creds(machine_account, &gcc);
+ ret = cli_credentials_get_server_gss_creds(machine_account, gensec_security->lp_ctx, &gcc);
if (ret) {
DEBUG(1, ("Aquiring acceptor credentials failed: %s\n",
error_message(ret)));
@@ -357,7 +357,7 @@ static NTSTATUS gensec_gssapi_client_start(struct gensec_security *gensec_securi
return NT_STATUS_INVALID_PARAMETER;
}
- ret = cli_credentials_get_client_gss_creds(creds, &gcc);
+ ret = cli_credentials_get_client_gss_creds(creds, gensec_security->lp_ctx, &gcc);
switch (ret) {
case 0:
break;
@@ -1365,6 +1365,7 @@ static NTSTATUS gensec_gssapi_session_info(struct gensec_security *gensec_securi
cli_credentials_set_anonymous(session_info->credentials);
ret = cli_credentials_set_client_gss_creds(session_info->credentials,
+ gensec_security->lp_ctx,
gensec_gssapi_state->delegated_cred_handle,
CRED_SPECIFIED);
if (ret) {
diff --git a/source4/auth/gensec/gensec_krb5.c b/source4/auth/gensec/gensec_krb5.c
index ca289f24d3..5cd0de1ceb 100644
--- a/source4/auth/gensec/gensec_krb5.c
+++ b/source4/auth/gensec/gensec_krb5.c
@@ -246,7 +246,7 @@ static NTSTATUS gensec_krb5_client_start(struct gensec_security *gensec_security
principal = gensec_get_target_principal(gensec_security);
- ret = cli_credentials_get_ccache(gensec_get_credentials(gensec_security), &ccache_container);
+ ret = cli_credentials_get_ccache(gensec_get_credentials(gensec_security), gensec_security->lp_ctx, &ccache_container);
switch (ret) {
case 0:
break;
@@ -444,7 +444,7 @@ static NTSTATUS gensec_krb5_update(struct gensec_security *gensec_security,
}
/* Grab the keytab, however generated */
- ret = cli_credentials_get_keytab(gensec_get_credentials(gensec_security), &keytab);
+ ret = cli_credentials_get_keytab(gensec_get_credentials(gensec_security), gensec_security->lp_ctx, &keytab);
if (ret) {
return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
}
diff --git a/source4/auth/system_session.c b/source4/auth/system_session.c
index 7c1e97b74f..e99bbbb1ab 100644
--- a/source4/auth/system_session.c
+++ b/source4/auth/system_session.c
@@ -196,7 +196,7 @@ static NTSTATUS _auth_system_session_info(TALLOC_CTX *parent_ctx,
if (anonymous_credentials) {
cli_credentials_set_anonymous(session_info->credentials);
} else {
- cli_credentials_set_machine_account_pending(session_info->credentials);
+ cli_credentials_set_machine_account_pending(session_info->credentials, lp_ctx);
}
*_session_info = session_info;