From 9421ad4a7a900b219f87754bc20fa14f2f22fd35 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Wed, 5 Dec 2001 09:46:53 +0000 Subject: added a REALLY gross hack into kerberos_kinit_password so that winbindd can do a kinit this will be removed once we have code that gets a tgt and puts it in a place where cyrus-sasl can see it (This used to be commit 7d94f1b7365215a020d3678d03d820a7d086174f) --- source3/include/ads.h | 1 + source3/libads/ads_struct.c | 5 ++++- source3/libads/kerberos.c | 21 +++++++++++++++++++++ source3/libads/ldap.c | 4 ++++ source3/nsswitch/winbindd_ads.c | 2 +- source3/smbd/negprot.c | 2 +- source3/smbd/sesssetup.c | 2 +- source3/utils/net_ads.c | 2 +- 8 files changed, 34 insertions(+), 5 deletions(-) diff --git a/source3/include/ads.h b/source3/include/ads.h index 36351c1c2b..9c5e26f703 100644 --- a/source3/include/ads.h +++ b/source3/include/ads.h @@ -12,6 +12,7 @@ typedef struct { int ldap_port; char *bind_path; time_t last_attempt; + char *password; } ADS_STRUCT; diff --git a/source3/libads/ads_struct.c b/source3/libads/ads_struct.c index 2d8bf06156..83c8f5b404 100644 --- a/source3/libads/ads_struct.c +++ b/source3/libads/ads_struct.c @@ -134,7 +134,8 @@ static char *find_ldap_server(ADS_STRUCT *ads) */ ADS_STRUCT *ads_init(const char *realm, const char *ldap_server, - const char *bind_path) + const char *bind_path, + const char *password) { ADS_STRUCT *ads; @@ -145,6 +146,7 @@ ADS_STRUCT *ads_init(const char *realm, ads->ldap_server = ldap_server? strdup(ldap_server) : NULL; ads->bind_path = bind_path? strdup(bind_path) : NULL; ads->ldap_port = LDAP_PORT; + if (password) ads->password = strdup(password); if (!ads->realm) { ads->realm = strdup(lp_realm()); @@ -181,6 +183,7 @@ void ads_destroy(ADS_STRUCT **ads) SAFE_FREE((*ads)->ldap_server); SAFE_FREE((*ads)->kdc_server); SAFE_FREE((*ads)->bind_path); + SAFE_FREE((*ads)->password); ZERO_STRUCTP(*ads); SAFE_FREE(*ads); } diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c index a3aa8b1661..1b0de382bd 100644 --- a/source3/libads/kerberos.c +++ b/source3/libads/kerberos.c @@ -23,6 +23,27 @@ #ifdef HAVE_KRB5 + +/* VERY nasty hack until we have proper kerberos code for this */ +void kerberos_kinit_password(ADS_STRUCT *ads) +{ + char *s; + FILE *f; + extern pstring global_myname; + fstring myname; + fstrcpy(myname, global_myname); + strlower(myname); + asprintf(&s, "kinit 'HOST/%s@%s'", global_myname, ads->realm); + DEBUG(0,("HACK!! Running %s\n", s)); + f = popen(s, "w"); + if (f) { + fprintf(f,"%s\n", ads->password); + fflush(f); + fclose(f); + } + free(s); +} + /* verify an incoming ticket and parse out the principal name and authorization_data if available diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c index 14fd716058..287ea225a1 100644 --- a/source3/libads/ldap.c +++ b/source3/libads/ldap.c @@ -70,6 +70,10 @@ int ads_connect(ADS_STRUCT *ads) } ldap_set_option(ads->ld, LDAP_OPT_PROTOCOL_VERSION, &version); + if (ads->password) { + kerberos_kinit_password(ads); + } + rc = ldap_sasl_interactive_bind_s(ads->ld, NULL, NULL, NULL, NULL, LDAP_SASL_QUIET, sasl_interact, NULL); diff --git a/source3/nsswitch/winbindd_ads.c b/source3/nsswitch/winbindd_ads.c index 145f2b68d1..edf4d45c38 100644 --- a/source3/nsswitch/winbindd_ads.c +++ b/source3/nsswitch/winbindd_ads.c @@ -38,7 +38,7 @@ static ADS_STRUCT *ads_cached_connection(struct winbindd_domain *domain) return (ADS_STRUCT *)domain->private; } - ads = ads_init(NULL, NULL, NULL); + ads = ads_init(NULL, NULL, NULL, secrets_fetch_machine_password()); if (!ads) { DEBUG(1,("ads_init for domain %s failed\n", domain->name)); return NULL; diff --git a/source3/smbd/negprot.c b/source3/smbd/negprot.c index 78d4da3a75..b99d239540 100644 --- a/source3/smbd/negprot.c +++ b/source3/smbd/negprot.c @@ -186,7 +186,7 @@ static int negprot_spnego(char *p) #endif { ADS_STRUCT *ads; - ads = ads_init(NULL, NULL, NULL); + ads = ads_init(NULL, NULL, NULL, NULL); /* win2000 uses host$@REALM, which we will probably use eventually, but for now this works */ diff --git a/source3/smbd/sesssetup.c b/source3/smbd/sesssetup.c index 35155c0dec..8e7ee38504 100644 --- a/source3/smbd/sesssetup.c +++ b/source3/smbd/sesssetup.c @@ -87,7 +87,7 @@ static int reply_spnego_kerberos(connection_struct *conn, return ERROR_NT(NT_STATUS_LOGON_FAILURE); } - ads = ads_init(NULL, NULL, NULL); + ads = ads_init(NULL, NULL, NULL, NULL); ret = ads_verify_ticket(ads, &ticket, &client, &auth_data); if (!NT_STATUS_IS_OK(ret)) { diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c index a1ea063b20..c956d9bb65 100644 --- a/source3/utils/net_ads.c +++ b/source3/utils/net_ads.c @@ -44,7 +44,7 @@ static ADS_STRUCT *ads_startup(void) { ADS_STRUCT *ads; int rc; - ads = ads_init(NULL, NULL, NULL); + ads = ads_init(NULL, NULL, NULL, NULL); rc = ads_connect(ads); if (rc) { -- cgit