From 6cc5e2edc1018a30b9ef16f2572849790ab490d1 Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Tue, 11 Dec 2001 05:19:15 +0000 Subject: Modify winbindd to use authenticated user info from secrets.tdb when making IPC$ connections to domain controllers. (This used to be commit 1217ef28a6c18c085fcb2eac3bf04866c166d959) --- source3/nsswitch/winbindd.h | 5 +++++ source3/nsswitch/winbindd_cm.c | 31 +++++++++++++++++++++++++++++-- 2 files changed, 34 insertions(+), 2 deletions(-) (limited to 'source3/nsswitch') diff --git a/source3/nsswitch/winbindd.h b/source3/nsswitch/winbindd.h index 40514cc83a..2a6fa22961 100644 --- a/source3/nsswitch/winbindd.h +++ b/source3/nsswitch/winbindd.h @@ -194,4 +194,9 @@ typedef struct { #define SETENV(name, value, overwrite) ; #endif +/* Authenticated user info is stored in secrets.tdb under these keys */ + +#define SECRETS_AUTH_USER "SECRETS/AUTH_USER" +#define SECRETS_AUTH_PASSWORD "SECRETS/AUTH_PASSWORD" + #endif /* _WINBINDD_H */ diff --git a/source3/nsswitch/winbindd_cm.c b/source3/nsswitch/winbindd_cm.c index 987b28e09c..31ab61a7de 100644 --- a/source3/nsswitch/winbindd_cm.c +++ b/source3/nsswitch/winbindd_cm.c @@ -182,6 +182,34 @@ static BOOL cm_get_dc_name(char *domain, fstring srv_name) return True; } +/* Choose between anonymous or authenticated connections. We need to use + an authenticated connection if DCs have the RestrictAnonymous registry + entry set > 0, or the "Additional restrictions for anonymous + connections" set in the win2k Local Security Policy. */ + +void cm_init_creds(struct ntuser_creds *creds) +{ + char *username, *password; + + ZERO_STRUCTP(creds); + + creds->pwd.null_pwd = True; /* anonymoose */ + + username = secrets_fetch(SECRETS_AUTH_USER, NULL); + password = secrets_fetch(SECRETS_AUTH_PASSWORD, NULL); + + if (username && *username) { + pwd_set_cleartext(&creds->pwd, password); + + fstrcpy(creds->user_name, username); + fstrcpy(creds->domain, lp_workgroup()); + + DEBUG(3, ("IPC$ connections done %s\\%s\n", creds->domain, + creds->user_name)); + } else + DEBUG(3, ("IPC$ connections done anonymously\n")); +} + /* Open a new smb pipe connection to a DC on a given domain. Cache negative creation attempts so we don't try and connect to broken machines too often. */ @@ -257,8 +285,7 @@ static BOOL cm_open_connection(char *domain, char *pipe_name, make_nmb_name(&called, dns_to_netbios_name(new_conn->controller), 0x20); make_nmb_name(&calling, dns_to_netbios_name(global_myname), 0); - ZERO_STRUCT(creds); - creds.pwd.null_pwd = 1; + cm_init_creds(&creds); cli_init_creds(new_conn->cli, &creds); -- cgit