From 28d78c40ade22c4b5d445dbe23f18ca210e41f8c Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Tue, 24 Jan 2006 05:31:08 +0000
Subject: r13107: Follow the lead of Heimdal's kpasswdd and use the HDB
 (hdb-ldb in our case) as the keytab.

This avoids issues in replicated setups, as we will replicate the
kpasswd key correctly (including from windows, which is why I care at
the moment).

Andrew Bartlett
(This used to be commit 849500d1aa658817052423051b1f5d0b7a1db8e0)
---
 source4/auth/credentials/credentials_files.c | 29 ++++++++++------------------
 1 file changed, 10 insertions(+), 19 deletions(-)

(limited to 'source4/auth/credentials/credentials_files.c')

diff --git a/source4/auth/credentials/credentials_files.c b/source4/auth/credentials/credentials_files.c
index 219869cf3a..53350b8ed0 100644
--- a/source4/auth/credentials/credentials_files.c
+++ b/source4/auth/credentials/credentials_files.c
@@ -267,17 +267,12 @@ NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred,
 		
 			cli_credentials_set_nt_hash(cred, &hash, CRED_SPECIFIED);
 		} else {
-		
-			DEBUG(1, ("Could not find 'secret' in join record to domain: %s\n",
-				  cli_credentials_get_domain(cred)));
-
-			/* set anonymous as the fallback, if the machine account won't work */
-			cli_credentials_set_anonymous(cred);
-
-			talloc_free(mem_ctx);
-			return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
+			cli_credentials_set_password(cred, NULL, CRED_SPECIFIED);
 		}
+	} else {
+		cli_credentials_set_password(cred, password, CRED_SPECIFIED);
 	}
+
 	
 	domain = ldb_msg_find_string(msgs[0], "flatname", NULL);
 	if (domain) {
@@ -290,9 +285,6 @@ NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred,
 	}
 
 	cli_credentials_set_username(cred, machine_account, CRED_SPECIFIED);
-	if (password) {
-		cli_credentials_set_password(cred, password, CRED_SPECIFIED);
-	}
 
 	cli_credentials_set_kvno(cred, ldb_msg_find_int(msgs[0], "msDS-KeyVersionNumber", 0));
 
@@ -417,13 +409,14 @@ NTSTATUS cli_credentials_update_all_keytabs(TALLOC_CTX *parent_ctx)
 		return NT_STATUS_ACCESS_DENIED;
 	}
 
-	/* search for the secret record */
+	/* search for the secret record, but only of things we can
+	 * actually update */
 	ldb_ret = gendb_search(ldb,
 			       mem_ctx, NULL,
 			       &msgs, attrs,
-			       "objectClass=kerberosSecret");
+			       "(&(objectClass=kerberosSecret)(|(secret=*)(ntPwdHash=*)))");
 	if (ldb_ret == -1) {
-		DEBUG(1, ("Error looking for kerberos type secrets to push into a keytab"));
+		DEBUG(1, ("Error looking for kerberos type secrets to push into a keytab:: %s", ldb_errstring(ldb)));
 		talloc_free(mem_ctx);
 		return NT_STATUS_INTERNAL_DB_CORRUPTION;
 	}
@@ -442,15 +435,13 @@ NTSTATUS cli_credentials_update_all_keytabs(TALLOC_CTX *parent_ctx)
 		if (!NT_STATUS_IS_OK(status)) {
 			DEBUG(1, ("Failed to read secrets for keytab update for %s\n", 
 				  filter));
-			talloc_free(mem_ctx);
-			return status;
+			continue;
 		} 
 		ret = cli_credentials_update_keytab(creds);
 		if (ret != 0) {
 			DEBUG(1, ("Failed to update keytab for %s\n", 
 				  filter));
-			talloc_free(mem_ctx);
-			return NT_STATUS_UNSUCCESSFUL;
+			continue;
 		}
 	}
 	return NT_STATUS_OK;
-- 
cgit