From a12a6686ba7301c464e8db857c73bfd1061dbf93 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Thu, 29 Sep 2005 00:02:38 +0000 Subject: r10596: Move the credentials code into it's own subsystem, and push it under auth/ Andrew Bartlett (This used to be commit 2e76a4b8efd59c496d64241d654538d3222545c6) --- source4/auth/credentials/credentials_files.c | 293 +++++++++++++++++++++++++++ 1 file changed, 293 insertions(+) create mode 100644 source4/auth/credentials/credentials_files.c (limited to 'source4/auth/credentials/credentials_files.c') diff --git a/source4/auth/credentials/credentials_files.c b/source4/auth/credentials/credentials_files.c new file mode 100644 index 0000000000..353ff61720 --- /dev/null +++ b/source4/auth/credentials/credentials_files.c @@ -0,0 +1,293 @@ +/* + Unix SMB/CIFS implementation. + + User credentials handling (as regards on-disk files) + + Copyright (C) Jelmer Vernooij 2005 + Copyright (C) Tim Potter 2001 + Copyright (C) Andrew Bartlett 2005 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +*/ + +#include "includes.h" +#include "lib/ldb/include/ldb.h" +#include "librpc/gen_ndr/ndr_samr.h" /* for struct samrPassword */ +#include "include/secrets.h" +#include "system/filesys.h" + +/** + * Read a file descriptor, and parse it for a password (eg from a file or stdin) + * + * @param credentials Credentials structure on which to set the password + * @param fd open file descriptor to read the password from + * @param obtained This enum describes how 'specified' this password is + */ + +BOOL cli_credentials_parse_password_fd(struct cli_credentials *credentials, + int fd, enum credentials_obtained obtained) +{ + char *p; + char pass[128]; + + for(p = pass, *p = '\0'; /* ensure that pass is null-terminated */ + p && p - pass < sizeof(pass);) { + switch (read(fd, p, 1)) { + case 1: + if (*p != '\n' && *p != '\0') { + *++p = '\0'; /* advance p, and null-terminate pass */ + break; + } + case 0: + if (p - pass) { + *p = '\0'; /* null-terminate it, just in case... */ + p = NULL; /* then force the loop condition to become false */ + break; + } else { + fprintf(stderr, "Error reading password from file descriptor %d: %s\n", fd, "empty password\n"); + return False; + } + + default: + fprintf(stderr, "Error reading password from file descriptor %d: %s\n", + fd, strerror(errno)); + return False; + } + } + + cli_credentials_set_password(credentials, pass, obtained); + return True; +} + +/** + * Read a named file, and parse it for a password + * + * @param credentials Credentials structure on which to set the password + * @param file a named file to read the password from + * @param obtained This enum describes how 'specified' this password is + */ + +BOOL cli_credentials_parse_password_file(struct cli_credentials *credentials, const char *file, enum credentials_obtained obtained) +{ + int fd = open(file, O_RDONLY, 0); + BOOL ret; + + if (fd < 0) { + fprintf(stderr, "Error opening PASSWD_FILE %s: %s\n", + file, strerror(errno)); + return False; + } + + ret = cli_credentials_parse_password_fd(credentials, fd, obtained); + + close(fd); + + return ret; +} + +/** + * Read a named file, and parse it for username, domain, realm and password + * + * @param credentials Credentials structure on which to set the password + * @param file a named file to read the details from + * @param obtained This enum describes how 'specified' this password is + */ + +BOOL cli_credentials_parse_file(struct cli_credentials *cred, const char *file, enum credentials_obtained obtained) +{ + uint16_t len = 0; + char *ptr, *val, *param; + char **lines; + int i, numlines; + + lines = file_lines_load(file, &numlines, NULL); + + if (lines == NULL) + { + /* fail if we can't open the credentials file */ + d_printf("ERROR: Unable to open credentials file!\n"); + return False; + } + + for (i = 0; i < numlines; i++) { + len = strlen(lines[i]); + + if (len == 0) + continue; + + /* break up the line into parameter & value. + * will need to eat a little whitespace possibly */ + param = lines[i]; + if (!(ptr = strchr_m (lines[i], '='))) + continue; + + val = ptr+1; + *ptr = '\0'; + + /* eat leading white space */ + while ((*val!='\0') && ((*val==' ') || (*val=='\t'))) + val++; + + if (strwicmp("password", param) == 0) { + cli_credentials_set_password(cred, val, obtained); + } else if (strwicmp("username", param) == 0) { + cli_credentials_set_username(cred, val, obtained); + } else if (strwicmp("domain", param) == 0) { + cli_credentials_set_domain(cred, val, obtained); + } else if (strwicmp("realm", param) == 0) { + cli_credentials_set_realm(cred, val, obtained); + } + memset(lines[i], 0, len); + } + + talloc_free(lines); + + return True; +} + + +/** + * Fill in credentials for the machine trust account, from the secrets database. + * + * @param cred Credentials structure to fill in + * @retval NTSTATUS error detailing any failure + */ +NTSTATUS cli_credentials_set_machine_account(struct cli_credentials *cred) +{ + TALLOC_CTX *mem_ctx; + + struct ldb_context *ldb; + int ldb_ret; + struct ldb_message **msgs; + const char *attrs[] = { + "secret", + "samAccountName", + "flatname", + "realm", + "secureChannelType", + "ntPwdHash", + "msDS-KeyVersionNumber", + NULL + }; + + const char *machine_account; + const char *password; + const char *domain; + const char *realm; + enum netr_SchannelType sct; + + /* ok, we are going to get it now, don't recurse back here */ + cred->machine_account_pending = False; + + mem_ctx = talloc_named(cred, 0, "cli_credentials fetch machine password"); + /* Local secrets are stored in secrets.ldb */ + ldb = secrets_db_connect(mem_ctx); + if (!ldb) { + DEBUG(1, ("Could not open secrets.ldb\n")); + return NT_STATUS_CANT_ACCESS_DOMAIN_INFO; + } + + /* search for the secret record */ + ldb_ret = gendb_search(ldb, + mem_ctx, ldb_dn_explode(mem_ctx, SECRETS_PRIMARY_DOMAIN_DN), + &msgs, attrs, + SECRETS_PRIMARY_DOMAIN_FILTER, + cli_credentials_get_domain(cred)); + if (ldb_ret == 0) { + DEBUG(1, ("Could not find join record to domain: %s\n", + cli_credentials_get_domain(cred))); + talloc_free(mem_ctx); + return NT_STATUS_CANT_ACCESS_DOMAIN_INFO; + } else if (ldb_ret != 1) { + DEBUG(1, ("Found more than one (%d) join records to domain: %s\n", + ldb_ret, cli_credentials_get_domain(cred))); + talloc_free(mem_ctx); + return NT_STATUS_CANT_ACCESS_DOMAIN_INFO; + } + + password = ldb_msg_find_string(msgs[0], "secret", NULL); + + machine_account = ldb_msg_find_string(msgs[0], "samAccountName", NULL); + + if (!machine_account) { + DEBUG(1, ("Could not find 'samAccountName' in join record to domain: %s\n", + cli_credentials_get_domain(cred))); + talloc_free(mem_ctx); + return NT_STATUS_CANT_ACCESS_DOMAIN_INFO; + } + + sct = ldb_msg_find_int(msgs[0], "secureChannelType", 0); + if (!sct) { + DEBUG(1, ("Domain join for acocunt %s did not have a secureChannelType set!\n", + machine_account)); + return NT_STATUS_CANT_ACCESS_DOMAIN_INFO; + } + + if (!password) { + const struct ldb_val *nt_password_hash = ldb_msg_find_ldb_val(msgs[0], "ntPwdHash"); + struct samr_Password hash; + ZERO_STRUCT(hash); + if (nt_password_hash) { + memcpy(hash.hash, nt_password_hash->data, + MIN(nt_password_hash->length, sizeof(hash.hash))); + + cli_credentials_set_nt_hash(cred, &hash, CRED_SPECIFIED); + } else { + + DEBUG(1, ("Could not find 'secret' in join record to domain: %s\n", + cli_credentials_get_domain(cred))); + talloc_free(mem_ctx); + return NT_STATUS_CANT_ACCESS_DOMAIN_INFO; + } + } + + cli_credentials_set_secure_channel_type(cred, sct); + + domain = ldb_msg_find_string(msgs[0], "flatname", NULL); + if (domain) { + cli_credentials_set_domain(cred, domain, CRED_SPECIFIED); + } + + realm = ldb_msg_find_string(msgs[0], "realm", NULL); + if (realm) { + cli_credentials_set_realm(cred, realm, CRED_SPECIFIED); + } + + cli_credentials_set_username(cred, machine_account, CRED_SPECIFIED); + if (password) { + cli_credentials_set_password(cred, password, CRED_SPECIFIED); + } + + cli_credentials_set_kvno(cred, ldb_msg_find_int(msgs[0], "msDS-KeyVersionNumber", 0)); + + talloc_free(mem_ctx); + + return NT_STATUS_OK; +} + +/** + * Ask that when required, the credentials system will be filled with + * machine trust account, from the secrets database. + * + * @param cred Credentials structure to fill in + * @note This function is used to call the above function after, rather + * than during, popt processing. + * + */ +void cli_credentials_set_machine_account_pending(struct cli_credentials *cred) +{ + cred->machine_account_pending = True; +} + -- cgit From 372ca26b2052e267711a45c8bf341f55505f3f8f Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Thu, 20 Oct 2005 03:47:55 +0000 Subject: r11200: Reposition the creation of the kerberos keytab for GSSAPI and Krb5 authentication. This pulls the creating of the keytab back to the credentials code, and removes the special case of 'use keberos keytab = yes' for now. This allows (and requires) the callers to specify the credentials for the server credentails to GENSEC. This allows kpasswdd (soon to be added) to use a different set of kerberos credentials. The 'use kerberos keytab' code will be moved into the credentials layer, as the layers below now expect a keytab. We also now allow for the old secret to be stored into the credentials, allowing service password changes. Andrew Bartlett (This used to be commit 205f77c579ac8680c85f713a76de5767189c627b) --- source4/auth/credentials/credentials_files.c | 57 ++++++++++++++++++++++++++-- 1 file changed, 53 insertions(+), 4 deletions(-) (limited to 'source4/auth/credentials/credentials_files.c') diff --git a/source4/auth/credentials/credentials_files.c b/source4/auth/credentials/credentials_files.c index 353ff61720..aa0a7f3213 100644 --- a/source4/auth/credentials/credentials_files.c +++ b/source4/auth/credentials/credentials_files.c @@ -164,7 +164,9 @@ BOOL cli_credentials_parse_file(struct cli_credentials *cred, const char *file, * @param cred Credentials structure to fill in * @retval NTSTATUS error detailing any failure */ -NTSTATUS cli_credentials_set_machine_account(struct cli_credentials *cred) +static NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred, + const char *base, + const char *filter) { TALLOC_CTX *mem_ctx; @@ -184,6 +186,7 @@ NTSTATUS cli_credentials_set_machine_account(struct cli_credentials *cred) const char *machine_account; const char *password; + const char *old_password; const char *domain; const char *realm; enum netr_SchannelType sct; @@ -201,10 +204,9 @@ NTSTATUS cli_credentials_set_machine_account(struct cli_credentials *cred) /* search for the secret record */ ldb_ret = gendb_search(ldb, - mem_ctx, ldb_dn_explode(mem_ctx, SECRETS_PRIMARY_DOMAIN_DN), + mem_ctx, ldb_dn_explode(mem_ctx, base), &msgs, attrs, - SECRETS_PRIMARY_DOMAIN_FILTER, - cli_credentials_get_domain(cred)); + "%s", filter); if (ldb_ret == 0) { DEBUG(1, ("Could not find join record to domain: %s\n", cli_credentials_get_domain(cred))); @@ -218,6 +220,7 @@ NTSTATUS cli_credentials_set_machine_account(struct cli_credentials *cred) } password = ldb_msg_find_string(msgs[0], "secret", NULL); + old_password = ldb_msg_find_string(msgs[0], "priorSecret", NULL); machine_account = ldb_msg_find_string(msgs[0], "samAccountName", NULL); @@ -277,6 +280,52 @@ NTSTATUS cli_credentials_set_machine_account(struct cli_credentials *cred) return NT_STATUS_OK; } +/** + * Fill in credentials for the machine trust account, from the secrets database. + * + * @param cred Credentials structure to fill in + * @retval NTSTATUS error detailing any failure + */ +NTSTATUS cli_credentials_set_machine_account(struct cli_credentials *cred) +{ + char *filter = talloc_asprintf(cred, SECRETS_PRIMARY_DOMAIN_FILTER, + cli_credentials_get_domain(cred)); + return cli_credentials_set_secrets(cred, SECRETS_PRIMARY_DOMAIN_DN, + filter); +} + +/** + * Fill in credentials for the machine trust account, from the secrets database. + * + * @param cred Credentials structure to fill in + * @retval NTSTATUS error detailing any failure + */ +NTSTATUS cli_credentials_set_krbtgt(struct cli_credentials *cred) +{ + char *filter = talloc_asprintf(cred, SECRETS_KRBTGT_SEARCH, + cli_credentials_get_realm(cred), + cli_credentials_get_domain(cred)); + return cli_credentials_set_secrets(cred, SECRETS_PRINCIPALS_DN, + filter); +} + +/** + * Fill in credentials for the machine trust account, from the secrets database. + * + * @param cred Credentials structure to fill in + * @retval NTSTATUS error detailing any failure + */ +NTSTATUS cli_credentials_set_stored_principal(struct cli_credentials *cred, + const char *serviceprincipal) +{ + char *filter = talloc_asprintf(cred, SECRETS_PRINCIPAL_SEARCH, + cli_credentials_get_realm(cred), + cli_credentials_get_domain(cred), + serviceprincipal); + return cli_credentials_set_secrets(cred, SECRETS_PRINCIPALS_DN, + filter); +} + /** * Ask that when required, the credentials system will be filled with * machine trust account, from the secrets database. -- cgit From 11b16c2580a95afcd7740328282be1e0bbf74dc9 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Thu, 20 Oct 2005 04:53:42 +0000 Subject: r11204: Allow us to read credentials from secrets.ldb without a secureChannelType (non machine join records). Andrew Bartlett (This used to be commit 3dddf497ccf246af435e6e2802d8f3745f2e4fd3) --- source4/auth/credentials/credentials_files.c | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) (limited to 'source4/auth/credentials/credentials_files.c') diff --git a/source4/auth/credentials/credentials_files.c b/source4/auth/credentials/credentials_files.c index aa0a7f3213..f23aecb0a0 100644 --- a/source4/auth/credentials/credentials_files.c +++ b/source4/auth/credentials/credentials_files.c @@ -232,10 +232,8 @@ static NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred, } sct = ldb_msg_find_int(msgs[0], "secureChannelType", 0); - if (!sct) { - DEBUG(1, ("Domain join for acocunt %s did not have a secureChannelType set!\n", - machine_account)); - return NT_STATUS_CANT_ACCESS_DOMAIN_INFO; + if (sct) { + cli_credentials_set_secure_channel_type(cred, sct); } if (!password) { @@ -256,8 +254,6 @@ static NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred, } } - cli_credentials_set_secure_channel_type(cred, sct); - domain = ldb_msg_find_string(msgs[0], "flatname", NULL); if (domain) { cli_credentials_set_domain(cred, domain, CRED_SPECIFIED); -- cgit From b5e734b4ca8d0181ed9e868cd4f763fb572efa40 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Thu, 20 Oct 2005 05:09:58 +0000 Subject: r11209: We can't read the priorSecret unless we ask for it. Andrew Bartlett (This used to be commit ee9a93688d31d8da91b81e9b0f6fac3fa4894c13) --- source4/auth/credentials/credentials_files.c | 1 + 1 file changed, 1 insertion(+) (limited to 'source4/auth/credentials/credentials_files.c') diff --git a/source4/auth/credentials/credentials_files.c b/source4/auth/credentials/credentials_files.c index f23aecb0a0..31f645bc6c 100644 --- a/source4/auth/credentials/credentials_files.c +++ b/source4/auth/credentials/credentials_files.c @@ -175,6 +175,7 @@ static NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred, struct ldb_message **msgs; const char *attrs[] = { "secret", + "priorSecret", "samAccountName", "flatname", "realm", -- cgit From b0c7c175b1c1ed45a31a710e4fbe18bbffdd6d38 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Thu, 20 Oct 2005 10:28:16 +0000 Subject: r11220: Add the ability to handle the salt prinicpal as part of the credentials. This works with the setup/secrets.ldif change from the previous patch, and pretty much just re-invents the keytab. Needed for kpasswdd work. Andrew Bartlett (This used to be commit cc9d167bab280eaeb793a5e7dfdf1f31be47fbf5) --- source4/auth/credentials/credentials_files.c | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) (limited to 'source4/auth/credentials/credentials_files.c') diff --git a/source4/auth/credentials/credentials_files.c b/source4/auth/credentials/credentials_files.c index 31f645bc6c..cdf38dcfa8 100644 --- a/source4/auth/credentials/credentials_files.c +++ b/source4/auth/credentials/credentials_files.c @@ -182,6 +182,7 @@ static NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred, "secureChannelType", "ntPwdHash", "msDS-KeyVersionNumber", + "saltPrincipal", NULL }; @@ -191,6 +192,7 @@ static NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred, const char *domain; const char *realm; enum netr_SchannelType sct; + const char *salt_principal; /* ok, we are going to get it now, don't recurse back here */ cred->machine_account_pending = False; @@ -209,13 +211,13 @@ static NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred, &msgs, attrs, "%s", filter); if (ldb_ret == 0) { - DEBUG(1, ("Could not find join record to domain: %s\n", - cli_credentials_get_domain(cred))); + DEBUG(1, ("Could not find entry to match filter: %s\n", + filter)); talloc_free(mem_ctx); return NT_STATUS_CANT_ACCESS_DOMAIN_INFO; } else if (ldb_ret != 1) { - DEBUG(1, ("Found more than one (%d) join records to domain: %s\n", - ldb_ret, cli_credentials_get_domain(cred))); + DEBUG(1, ("Found more than one (%d) entry to match filter: %s\n", + ldb_ret, filter)); talloc_free(mem_ctx); return NT_STATUS_CANT_ACCESS_DOMAIN_INFO; } @@ -231,6 +233,9 @@ static NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred, talloc_free(mem_ctx); return NT_STATUS_CANT_ACCESS_DOMAIN_INFO; } + + salt_principal = ldb_msg_find_string(msgs[0], "saltPrincipal", NULL); + cli_credentials_set_salt_principal(cred, salt_principal); sct = ldb_msg_find_int(msgs[0], "secureChannelType", 0); if (sct) { -- cgit From cfa2adf04017c9491d4cc6a69a0bbd4869061b6d Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 31 Oct 2005 00:23:38 +0000 Subject: r11401: A simple hack to have our central credentials system deny sending LM authentication for user@realm logins and machine account logins. This should avoid various protocol downgrade attacks. Andrew Bartlett (This used to be commit 76c2d204d0a1ec66d1ef3c935688c7571b051f46) --- source4/auth/credentials/credentials_files.c | 3 +++ 1 file changed, 3 insertions(+) (limited to 'source4/auth/credentials/credentials_files.c') diff --git a/source4/auth/credentials/credentials_files.c b/source4/auth/credentials/credentials_files.c index cdf38dcfa8..35bbc43b34 100644 --- a/source4/auth/credentials/credentials_files.c +++ b/source4/auth/credentials/credentials_files.c @@ -197,6 +197,9 @@ static NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred, /* ok, we are going to get it now, don't recurse back here */ cred->machine_account_pending = False; + /* some other parts of the system will key off this */ + cred->machine_account = True; + mem_ctx = talloc_named(cred, 0, "cli_credentials fetch machine password"); /* Local secrets are stored in secrets.ldb */ ldb = secrets_db_connect(mem_ctx); -- cgit From 9c6b7f2d62e134a4bc15efc04e05be25e4a53dc7 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Thu, 1 Dec 2005 05:20:39 +0000 Subject: r11995: A big kerberos-related update. This merges Samba4 up to current lorikeet-heimdal, which includes a replacement for some Samba-specific hacks. In particular, the credentials system now supplies GSS client and server credentials. These are imported into GSS with gss_krb5_import_creds(). Unfortunetly this can't take an MEMORY keytab, so we now create a FILE based keytab as provision and join time. Because the keytab is now created in advance, we don't spend .4s at negprot doing sha1 s2k calls. Also, because the keytab is read in real time, any change in the server key will be correctly picked up by the the krb5 code. To mark entries in the secrets which should be exported to a keytab, there is a new kerberosSecret objectClass. The new routine cli_credentials_update_all_keytabs() searches for these, and updates the keytabs. This is called in the provision.js via the ejs wrapper credentials_update_all_keytabs(). We can now (in theory) use a system-provided /etc/krb5.keytab, if krb5Keytab: FILE:/etc/krb5.keytab is added to the secrets.ldb record. By default the attribute privateKeytab: secrets.keytab is set, pointing to allow the whole private directory to be moved without breaking the internal links. (This used to be commit 6b75573df49c6210e1b9d71e108a9490976bd41d) --- source4/auth/credentials/credentials_files.c | 92 ++++++++++++++++++++++++++-- 1 file changed, 88 insertions(+), 4 deletions(-) (limited to 'source4/auth/credentials/credentials_files.c') diff --git a/source4/auth/credentials/credentials_files.c b/source4/auth/credentials/credentials_files.c index 35bbc43b34..6b3c77c4e3 100644 --- a/source4/auth/credentials/credentials_files.c +++ b/source4/auth/credentials/credentials_files.c @@ -164,9 +164,9 @@ BOOL cli_credentials_parse_file(struct cli_credentials *cred, const char *file, * @param cred Credentials structure to fill in * @retval NTSTATUS error detailing any failure */ -static NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred, - const char *base, - const char *filter) +NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred, + const char *base, + const char *filter) { TALLOC_CTX *mem_ctx; @@ -183,6 +183,8 @@ static NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred, "ntPwdHash", "msDS-KeyVersionNumber", "saltPrincipal", + "privateKeytab", + "krb5Keytab", NULL }; @@ -193,6 +195,7 @@ static NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred, const char *realm; enum netr_SchannelType sct; const char *salt_principal; + const char *keytab; /* ok, we are going to get it now, don't recurse back here */ cred->machine_account_pending = False; @@ -201,6 +204,7 @@ static NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred, cred->machine_account = True; mem_ctx = talloc_named(cred, 0, "cli_credentials fetch machine password"); + /* Local secrets are stored in secrets.ldb */ ldb = secrets_db_connect(mem_ctx); if (!ldb) { @@ -279,7 +283,22 @@ static NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred, } cli_credentials_set_kvno(cred, ldb_msg_find_int(msgs[0], "msDS-KeyVersionNumber", 0)); - + + /* If there was an external keytab specified by reference in + * the LDB, then use this. Otherwise we will make one up + * (chewing CPU time) from the password */ + keytab = ldb_msg_find_string(msgs[0], "krb5Keytab", NULL); + if (keytab) { + cli_credentials_set_keytab(cred, keytab, CRED_SPECIFIED); + } else { + keytab = ldb_msg_find_string(msgs[0], "privateKeytab", NULL); + if (keytab) { + keytab = talloc_asprintf(mem_ctx, "FILE:%s", private_path(mem_ctx, keytab)); + if (keytab) { + cli_credentials_set_keytab(cred, keytab, CRED_SPECIFIED); + } + } + } talloc_free(mem_ctx); return NT_STATUS_OK; @@ -345,3 +364,68 @@ void cli_credentials_set_machine_account_pending(struct cli_credentials *cred) cred->machine_account_pending = True; } + +NTSTATUS cli_credentials_update_all_keytabs(TALLOC_CTX *parent_ctx) +{ + TALLOC_CTX *mem_ctx; + int ldb_ret; + struct ldb_context *ldb; + struct ldb_message **msgs; + const char *attrs[] = { NULL }; + struct cli_credentials *creds; + const char *filter; + NTSTATUS status; + int i, ret; + + mem_ctx = talloc_new(parent_ctx); + if (!mem_ctx) { + return NT_STATUS_NO_MEMORY; + } + + /* Local secrets are stored in secrets.ldb */ + ldb = secrets_db_connect(mem_ctx); + if (!ldb) { + DEBUG(1, ("Could not open secrets.ldb\n")); + talloc_free(mem_ctx); + return NT_STATUS_ACCESS_DENIED; + } + + /* search for the secret record */ + ldb_ret = gendb_search(ldb, + mem_ctx, NULL, + &msgs, attrs, + "objectClass=kerberosSecret"); + if (ldb_ret == -1) { + DEBUG(1, ("Error looking for kerberos type secrets to push into a keytab")); + talloc_free(mem_ctx); + return NT_STATUS_INTERNAL_DB_CORRUPTION; + } + + for (i=0; i < ldb_ret; i++) { + /* Make a credentials structure from it */ + creds = cli_credentials_init(mem_ctx); + if (!creds) { + DEBUG(1, ("cli_credentials_init failed!")); + talloc_free(mem_ctx); + return NT_STATUS_NO_MEMORY; + } + cli_credentials_set_conf(creds); + filter = talloc_asprintf(mem_ctx, "dn=%s", ldb_dn_linearize(mem_ctx, msgs[i]->dn)); + status = cli_credentials_set_secrets(creds, NULL, filter); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(1, ("Failed to read secrets for keytab update for %s\n", + filter)); + talloc_free(mem_ctx); + return status; + } + ret = cli_credentials_update_keytab(creds); + if (ret != 0) { + DEBUG(1, ("Failed to update keytab for %s\n", + filter)); + talloc_free(mem_ctx); + return NT_STATUS_UNSUCCESSFUL; + } + } + return NT_STATUS_OK; +} + -- cgit From a1827a1deba04e0b4b2a508dc4e4e66603a46d16 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Wed, 14 Dec 2005 07:22:25 +0000 Subject: r12227: I realised that I wasn't yet seeing authenticated LDAP for the ldb backend. The idea is that every time we open an LDB, we can provide a session_info and/or credentials. This would allow any ldb to be remote to LDAP. We should also support provisioning to a authenticated ldap server. (They are separate so we can say authenticate as foo for remote, but here we just want a token of SYSTEM). Andrew Bartlett (This used to be commit ae2f3a64ee0b07575624120db45299c65204210b) --- source4/auth/credentials/credentials_files.c | 39 +++++++++++++++++++++++----- 1 file changed, 33 insertions(+), 6 deletions(-) (limited to 'source4/auth/credentials/credentials_files.c') diff --git a/source4/auth/credentials/credentials_files.c b/source4/auth/credentials/credentials_files.c index 6b3c77c4e3..1f7a7cf435 100644 --- a/source4/auth/credentials/credentials_files.c +++ b/source4/auth/credentials/credentials_files.c @@ -208,6 +208,8 @@ NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred, /* Local secrets are stored in secrets.ldb */ ldb = secrets_db_connect(mem_ctx); if (!ldb) { + /* set anonymous as the fallback, if the machine account won't work */ + cli_credentials_set_anonymous(cred); DEBUG(1, ("Could not open secrets.ldb\n")); return NT_STATUS_CANT_ACCESS_DOMAIN_INFO; } @@ -220,11 +222,15 @@ NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred, if (ldb_ret == 0) { DEBUG(1, ("Could not find entry to match filter: %s\n", filter)); + /* set anonymous as the fallback, if the machine account won't work */ + cli_credentials_set_anonymous(cred); talloc_free(mem_ctx); return NT_STATUS_CANT_ACCESS_DOMAIN_INFO; } else if (ldb_ret != 1) { DEBUG(1, ("Found more than one (%d) entry to match filter: %s\n", ldb_ret, filter)); + /* set anonymous as the fallback, if the machine account won't work */ + cli_credentials_set_anonymous(cred); talloc_free(mem_ctx); return NT_STATUS_CANT_ACCESS_DOMAIN_INFO; } @@ -237,6 +243,8 @@ NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred, if (!machine_account) { DEBUG(1, ("Could not find 'samAccountName' in join record to domain: %s\n", cli_credentials_get_domain(cred))); + /* set anonymous as the fallback, if the machine account won't work */ + cli_credentials_set_anonymous(cred); talloc_free(mem_ctx); return NT_STATUS_CANT_ACCESS_DOMAIN_INFO; } @@ -262,6 +270,10 @@ NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred, DEBUG(1, ("Could not find 'secret' in join record to domain: %s\n", cli_credentials_get_domain(cred))); + + /* set anonymous as the fallback, if the machine account won't work */ + cli_credentials_set_anonymous(cred); + talloc_free(mem_ctx); return NT_STATUS_CANT_ACCESS_DOMAIN_INFO; } @@ -312,7 +324,12 @@ NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred, */ NTSTATUS cli_credentials_set_machine_account(struct cli_credentials *cred) { - char *filter = talloc_asprintf(cred, SECRETS_PRIMARY_DOMAIN_FILTER, + char *filter; + /* Bleh, nasty recursion issues: We are setting a machine + * account here, so we don't want the 'pending' flag around + * any more */ + cred->machine_account_pending = False; + filter = talloc_asprintf(cred, SECRETS_PRIMARY_DOMAIN_FILTER, cli_credentials_get_domain(cred)); return cli_credentials_set_secrets(cred, SECRETS_PRIMARY_DOMAIN_DN, filter); @@ -326,7 +343,12 @@ NTSTATUS cli_credentials_set_machine_account(struct cli_credentials *cred) */ NTSTATUS cli_credentials_set_krbtgt(struct cli_credentials *cred) { - char *filter = talloc_asprintf(cred, SECRETS_KRBTGT_SEARCH, + char *filter; + /* Bleh, nasty recursion issues: We are setting a machine + * account here, so we don't want the 'pending' flag around + * any more */ + cred->machine_account_pending = False; + filter = talloc_asprintf(cred, SECRETS_KRBTGT_SEARCH, cli_credentials_get_realm(cred), cli_credentials_get_domain(cred)); return cli_credentials_set_secrets(cred, SECRETS_PRINCIPALS_DN, @@ -342,10 +364,15 @@ NTSTATUS cli_credentials_set_krbtgt(struct cli_credentials *cred) NTSTATUS cli_credentials_set_stored_principal(struct cli_credentials *cred, const char *serviceprincipal) { - char *filter = talloc_asprintf(cred, SECRETS_PRINCIPAL_SEARCH, - cli_credentials_get_realm(cred), - cli_credentials_get_domain(cred), - serviceprincipal); + char *filter; + /* Bleh, nasty recursion issues: We are setting a machine + * account here, so we don't want the 'pending' flag around + * any more */ + cred->machine_account_pending = False; + filter = talloc_asprintf(cred, SECRETS_PRINCIPAL_SEARCH, + cli_credentials_get_realm(cred), + cli_credentials_get_domain(cred), + serviceprincipal); return cli_credentials_set_secrets(cred, SECRETS_PRINCIPALS_DN, filter); } -- cgit From 221c1512a8b4de9a568c0a0cdafa97ab5c53368c Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Wed, 21 Dec 2005 22:02:52 +0000 Subject: r12411: Add 'net samdump keytab '. This extracts a remote windows domain into a keytab, suitable for use in ethereal for kerberos decryption. For the moment, like net samdump and net samsync, the 'password server' smb.conf option must be set to the binding string for the server. eg: password server = ncacn_np:mypdc Andrew Bartlett (This used to be commit 272013438f53bb168f74e09eb70fc96112b84772) --- source4/auth/credentials/credentials_files.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source4/auth/credentials/credentials_files.c') diff --git a/source4/auth/credentials/credentials_files.c b/source4/auth/credentials/credentials_files.c index 1f7a7cf435..8d84e8cdb5 100644 --- a/source4/auth/credentials/credentials_files.c +++ b/source4/auth/credentials/credentials_files.c @@ -301,13 +301,13 @@ NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred, * (chewing CPU time) from the password */ keytab = ldb_msg_find_string(msgs[0], "krb5Keytab", NULL); if (keytab) { - cli_credentials_set_keytab(cred, keytab, CRED_SPECIFIED); + cli_credentials_set_keytab_name(cred, keytab, CRED_SPECIFIED); } else { keytab = ldb_msg_find_string(msgs[0], "privateKeytab", NULL); if (keytab) { keytab = talloc_asprintf(mem_ctx, "FILE:%s", private_path(mem_ctx, keytab)); if (keytab) { - cli_credentials_set_keytab(cred, keytab, CRED_SPECIFIED); + cli_credentials_set_keytab_name(cred, keytab, CRED_SPECIFIED); } } } -- cgit From 78c50015bb8bd5a1d831a6e7ec796b3367c73145 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Tue, 3 Jan 2006 15:40:05 +0000 Subject: r12694: Move some headers to the directory of the subsystem they belong to. (This used to be commit c722f665c90103f3ed57621c460e32ad33e7a8a3) --- source4/auth/credentials/credentials_files.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source4/auth/credentials/credentials_files.c') diff --git a/source4/auth/credentials/credentials_files.c b/source4/auth/credentials/credentials_files.c index 8d84e8cdb5..219869cf3a 100644 --- a/source4/auth/credentials/credentials_files.c +++ b/source4/auth/credentials/credentials_files.c @@ -25,7 +25,7 @@ #include "includes.h" #include "lib/ldb/include/ldb.h" #include "librpc/gen_ndr/ndr_samr.h" /* for struct samrPassword */ -#include "include/secrets.h" +#include "passdb/secrets.h" #include "system/filesys.h" /** -- cgit From 28d78c40ade22c4b5d445dbe23f18ca210e41f8c Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 24 Jan 2006 05:31:08 +0000 Subject: r13107: Follow the lead of Heimdal's kpasswdd and use the HDB (hdb-ldb in our case) as the keytab. This avoids issues in replicated setups, as we will replicate the kpasswd key correctly (including from windows, which is why I care at the moment). Andrew Bartlett (This used to be commit 849500d1aa658817052423051b1f5d0b7a1db8e0) --- source4/auth/credentials/credentials_files.c | 29 ++++++++++------------------ 1 file changed, 10 insertions(+), 19 deletions(-) (limited to 'source4/auth/credentials/credentials_files.c') diff --git a/source4/auth/credentials/credentials_files.c b/source4/auth/credentials/credentials_files.c index 219869cf3a..53350b8ed0 100644 --- a/source4/auth/credentials/credentials_files.c +++ b/source4/auth/credentials/credentials_files.c @@ -267,17 +267,12 @@ NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred, cli_credentials_set_nt_hash(cred, &hash, CRED_SPECIFIED); } else { - - DEBUG(1, ("Could not find 'secret' in join record to domain: %s\n", - cli_credentials_get_domain(cred))); - - /* set anonymous as the fallback, if the machine account won't work */ - cli_credentials_set_anonymous(cred); - - talloc_free(mem_ctx); - return NT_STATUS_CANT_ACCESS_DOMAIN_INFO; + cli_credentials_set_password(cred, NULL, CRED_SPECIFIED); } + } else { + cli_credentials_set_password(cred, password, CRED_SPECIFIED); } + domain = ldb_msg_find_string(msgs[0], "flatname", NULL); if (domain) { @@ -290,9 +285,6 @@ NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred, } cli_credentials_set_username(cred, machine_account, CRED_SPECIFIED); - if (password) { - cli_credentials_set_password(cred, password, CRED_SPECIFIED); - } cli_credentials_set_kvno(cred, ldb_msg_find_int(msgs[0], "msDS-KeyVersionNumber", 0)); @@ -417,13 +409,14 @@ NTSTATUS cli_credentials_update_all_keytabs(TALLOC_CTX *parent_ctx) return NT_STATUS_ACCESS_DENIED; } - /* search for the secret record */ + /* search for the secret record, but only of things we can + * actually update */ ldb_ret = gendb_search(ldb, mem_ctx, NULL, &msgs, attrs, - "objectClass=kerberosSecret"); + "(&(objectClass=kerberosSecret)(|(secret=*)(ntPwdHash=*)))"); if (ldb_ret == -1) { - DEBUG(1, ("Error looking for kerberos type secrets to push into a keytab")); + DEBUG(1, ("Error looking for kerberos type secrets to push into a keytab:: %s", ldb_errstring(ldb))); talloc_free(mem_ctx); return NT_STATUS_INTERNAL_DB_CORRUPTION; } @@ -442,15 +435,13 @@ NTSTATUS cli_credentials_update_all_keytabs(TALLOC_CTX *parent_ctx) if (!NT_STATUS_IS_OK(status)) { DEBUG(1, ("Failed to read secrets for keytab update for %s\n", filter)); - talloc_free(mem_ctx); - return status; + continue; } ret = cli_credentials_update_keytab(creds); if (ret != 0) { DEBUG(1, ("Failed to update keytab for %s\n", filter)); - talloc_free(mem_ctx); - return NT_STATUS_UNSUCCESSFUL; + continue; } } return NT_STATUS_OK; -- cgit From 4ac2be99588b48b0652a524bf12fb1aa9c3f5fbb Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Tue, 7 Mar 2006 11:07:23 +0000 Subject: r13924: Split more prototypes out of include/proto.h + initial work on header file dependencies (This used to be commit 122835876748a3eaf5e8d31ad1abddab9acb8781) --- source4/auth/credentials/credentials_files.c | 1 + 1 file changed, 1 insertion(+) (limited to 'source4/auth/credentials/credentials_files.c') diff --git a/source4/auth/credentials/credentials_files.c b/source4/auth/credentials/credentials_files.c index 53350b8ed0..c4e384c2cd 100644 --- a/source4/auth/credentials/credentials_files.c +++ b/source4/auth/credentials/credentials_files.c @@ -27,6 +27,7 @@ #include "librpc/gen_ndr/ndr_samr.h" /* for struct samrPassword */ #include "passdb/secrets.h" #include "system/filesys.h" +#include "db_wrap.h" /** * Read a file descriptor, and parse it for a password (eg from a file or stdin) -- cgit From 3f16241a1d3243447d0244ebac05b447aec94df8 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Tue, 14 Mar 2006 01:29:56 +0000 Subject: r14363: Remove credentials.h from the global includes. (This used to be commit 98c4c3051391c6f89df5d133665f51bef66b1563) --- source4/auth/credentials/credentials_files.c | 1 + 1 file changed, 1 insertion(+) (limited to 'source4/auth/credentials/credentials_files.c') diff --git a/source4/auth/credentials/credentials_files.c b/source4/auth/credentials/credentials_files.c index c4e384c2cd..dd510f97f1 100644 --- a/source4/auth/credentials/credentials_files.c +++ b/source4/auth/credentials/credentials_files.c @@ -28,6 +28,7 @@ #include "passdb/secrets.h" #include "system/filesys.h" #include "db_wrap.h" +#include "auth/credentials/credentials.h" /** * Read a file descriptor, and parse it for a password (eg from a file or stdin) -- cgit From 8528016978b084213ef53d66e1b6e831b1a01acc Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Thu, 16 Mar 2006 00:23:11 +0000 Subject: r14464: Don't include ndr_BASENAME.h files unless strictly required, instead try to include just the BASENAME.h files (containing only structs) (This used to be commit 3dd477ca5147f28a962b8437e2611a8222d706bd) --- source4/auth/credentials/credentials_files.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source4/auth/credentials/credentials_files.c') diff --git a/source4/auth/credentials/credentials_files.c b/source4/auth/credentials/credentials_files.c index dd510f97f1..6afd5ea828 100644 --- a/source4/auth/credentials/credentials_files.c +++ b/source4/auth/credentials/credentials_files.c @@ -24,7 +24,7 @@ #include "includes.h" #include "lib/ldb/include/ldb.h" -#include "librpc/gen_ndr/ndr_samr.h" /* for struct samrPassword */ +#include "librpc/gen_ndr/samr.h" /* for struct samrPassword */ #include "passdb/secrets.h" #include "system/filesys.h" #include "db_wrap.h" -- cgit From 14594c7b85e661aa8370103089fb817f2842d892 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Sat, 8 Apr 2006 02:44:37 +0000 Subject: r14977: more IBM checker fixes (This used to be commit cd106509b664e9ca53419a62550b256b7e5bde3c) --- source4/auth/credentials/credentials_files.c | 1 + 1 file changed, 1 insertion(+) (limited to 'source4/auth/credentials/credentials_files.c') diff --git a/source4/auth/credentials/credentials_files.c b/source4/auth/credentials/credentials_files.c index 6afd5ea828..a268fe369e 100644 --- a/source4/auth/credentials/credentials_files.c +++ b/source4/auth/credentials/credentials_files.c @@ -52,6 +52,7 @@ BOOL cli_credentials_parse_password_fd(struct cli_credentials *credentials, *++p = '\0'; /* advance p, and null-terminate pass */ break; } + /* fall through */ case 0: if (p - pass) { *p = '\0'; /* null-terminate it, just in case... */ -- cgit From a23b63a8e54db7d0ec98ad95cdca11dd4d039e17 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Sun, 13 Aug 2006 08:00:36 +0000 Subject: r17516: Change helper function names to make more clear what they are meant to do (This used to be commit ad75cf869550af66119d0293503024d41d834e02) --- source4/auth/credentials/credentials_files.c | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) (limited to 'source4/auth/credentials/credentials_files.c') diff --git a/source4/auth/credentials/credentials_files.c b/source4/auth/credentials/credentials_files.c index a268fe369e..c61f8ccb5e 100644 --- a/source4/auth/credentials/credentials_files.c +++ b/source4/auth/credentials/credentials_files.c @@ -238,10 +238,10 @@ NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred, return NT_STATUS_CANT_ACCESS_DOMAIN_INFO; } - password = ldb_msg_find_string(msgs[0], "secret", NULL); - old_password = ldb_msg_find_string(msgs[0], "priorSecret", NULL); + password = ldb_msg_find_attr_as_string(msgs[0], "secret", NULL); + old_password = ldb_msg_find_attr_as_string(msgs[0], "priorSecret", NULL); - machine_account = ldb_msg_find_string(msgs[0], "samAccountName", NULL); + machine_account = ldb_msg_find_attr_as_string(msgs[0], "samAccountName", NULL); if (!machine_account) { DEBUG(1, ("Could not find 'samAccountName' in join record to domain: %s\n", @@ -252,10 +252,10 @@ NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred, return NT_STATUS_CANT_ACCESS_DOMAIN_INFO; } - salt_principal = ldb_msg_find_string(msgs[0], "saltPrincipal", NULL); + salt_principal = ldb_msg_find_attr_as_string(msgs[0], "saltPrincipal", NULL); cli_credentials_set_salt_principal(cred, salt_principal); - sct = ldb_msg_find_int(msgs[0], "secureChannelType", 0); + sct = ldb_msg_find_attr_as_int(msgs[0], "secureChannelType", 0); if (sct) { cli_credentials_set_secure_channel_type(cred, sct); } @@ -277,28 +277,28 @@ NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred, } - domain = ldb_msg_find_string(msgs[0], "flatname", NULL); + domain = ldb_msg_find_attr_as_string(msgs[0], "flatname", NULL); if (domain) { cli_credentials_set_domain(cred, domain, CRED_SPECIFIED); } - realm = ldb_msg_find_string(msgs[0], "realm", NULL); + realm = ldb_msg_find_attr_as_string(msgs[0], "realm", NULL); if (realm) { cli_credentials_set_realm(cred, realm, CRED_SPECIFIED); } cli_credentials_set_username(cred, machine_account, CRED_SPECIFIED); - cli_credentials_set_kvno(cred, ldb_msg_find_int(msgs[0], "msDS-KeyVersionNumber", 0)); + cli_credentials_set_kvno(cred, ldb_msg_find_attr_as_int(msgs[0], "msDS-KeyVersionNumber", 0)); /* If there was an external keytab specified by reference in * the LDB, then use this. Otherwise we will make one up * (chewing CPU time) from the password */ - keytab = ldb_msg_find_string(msgs[0], "krb5Keytab", NULL); + keytab = ldb_msg_find_attr_as_string(msgs[0], "krb5Keytab", NULL); if (keytab) { cli_credentials_set_keytab_name(cred, keytab, CRED_SPECIFIED); } else { - keytab = ldb_msg_find_string(msgs[0], "privateKeytab", NULL); + keytab = ldb_msg_find_attr_as_string(msgs[0], "privateKeytab", NULL); if (keytab) { keytab = talloc_asprintf(mem_ctx, "FILE:%s", private_path(mem_ctx, keytab)); if (keytab) { -- cgit From 5a6e2bc9aeb71c94eeab8c0a5755aded989b039d Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Mon, 6 Nov 2006 16:11:52 +0000 Subject: r19573: Move secrets.o into param/ (subsystems haven't been integrated yet). (This used to be commit 8143de855c0b65346b2d8e59ecdb78952927de4a) --- source4/auth/credentials/credentials_files.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source4/auth/credentials/credentials_files.c') diff --git a/source4/auth/credentials/credentials_files.c b/source4/auth/credentials/credentials_files.c index c61f8ccb5e..53a6f39cd4 100644 --- a/source4/auth/credentials/credentials_files.c +++ b/source4/auth/credentials/credentials_files.c @@ -25,7 +25,7 @@ #include "includes.h" #include "lib/ldb/include/ldb.h" #include "librpc/gen_ndr/samr.h" /* for struct samrPassword */ -#include "passdb/secrets.h" +#include "param/secrets.h" #include "system/filesys.h" #include "db_wrap.h" #include "auth/credentials/credentials.h" -- cgit From 13dbee3ffea6065a826f010e50c9b4eb2c6ad109 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 7 Nov 2006 00:48:36 +0000 Subject: r19598: Ahead of a merge to current lorikeet-heimdal: Break up auth/auth.h not to include the world. Add credentials_krb5.h with the kerberos dependent prototypes. Andrew Bartlett (This used to be commit 2b569c42e0fbb596ea82484d0e1cb22e193037b9) --- source4/auth/credentials/credentials_files.c | 1 + 1 file changed, 1 insertion(+) (limited to 'source4/auth/credentials/credentials_files.c') diff --git a/source4/auth/credentials/credentials_files.c b/source4/auth/credentials/credentials_files.c index 53a6f39cd4..ecd89d2259 100644 --- a/source4/auth/credentials/credentials_files.c +++ b/source4/auth/credentials/credentials_files.c @@ -29,6 +29,7 @@ #include "system/filesys.h" #include "db_wrap.h" #include "auth/credentials/credentials.h" +#include "auth/credentials/credentials_krb5.h" /** * Read a file descriptor, and parse it for a password (eg from a file or stdin) -- cgit From 4889eb9f7aae9349e426d0f6d2217adff67eaebd Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Wed, 22 Nov 2006 00:59:34 +0000 Subject: r19831: Big ldb_dn optimization and interfaces enhancement patch This patch changes a lot of the code in ldb_dn.c, and also removes and add a number of manipulation functions around. The aim is to avoid validating a dn if not necessary as the validation code is necessarily slow. This is mainly to speed up internal operations where input is not user generated and so we can assume the DNs need no validation. The code is designed to keep the data as a string if possible. The code is not yet 100% perfect, but pass all the tests so far. A memleak is certainly present, I'll work on that next. Simo. (This used to be commit a580c871d3784602a9cce32d33419e63c8236e63) --- source4/auth/credentials/credentials_files.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source4/auth/credentials/credentials_files.c') diff --git a/source4/auth/credentials/credentials_files.c b/source4/auth/credentials/credentials_files.c index ecd89d2259..1cbc9d9c15 100644 --- a/source4/auth/credentials/credentials_files.c +++ b/source4/auth/credentials/credentials_files.c @@ -220,7 +220,7 @@ NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred, /* search for the secret record */ ldb_ret = gendb_search(ldb, - mem_ctx, ldb_dn_explode(mem_ctx, base), + mem_ctx, ldb_dn_new(mem_ctx, ldb, base), &msgs, attrs, "%s", filter); if (ldb_ret == 0) { -- cgit From a9e31b33b55a873c2f01db5e348560176adf863d Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Wed, 22 Nov 2006 02:05:19 +0000 Subject: r19832: better prototypes for the linearization functions: - ldb_dn_get_linearized returns a const string - ldb_dn_alloc_linearized allocs astring with the linearized dn (This used to be commit 3929c086d5d0b3f08b1c4f2f3f9602c3f4a9a4bd) --- source4/auth/credentials/credentials_files.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source4/auth/credentials/credentials_files.c') diff --git a/source4/auth/credentials/credentials_files.c b/source4/auth/credentials/credentials_files.c index 1cbc9d9c15..a0ce4a2fd1 100644 --- a/source4/auth/credentials/credentials_files.c +++ b/source4/auth/credentials/credentials_files.c @@ -434,7 +434,7 @@ NTSTATUS cli_credentials_update_all_keytabs(TALLOC_CTX *parent_ctx) return NT_STATUS_NO_MEMORY; } cli_credentials_set_conf(creds); - filter = talloc_asprintf(mem_ctx, "dn=%s", ldb_dn_linearize(mem_ctx, msgs[i]->dn)); + filter = talloc_asprintf(mem_ctx, "dn=%s", ldb_dn_get_linearized(msgs[i]->dn)); status = cli_credentials_set_secrets(creds, NULL, filter); if (!NT_STATUS_IS_OK(status)) { DEBUG(1, ("Failed to read secrets for keytab update for %s\n", -- cgit From 744dddd75be73e4e883241b808b37a12a7a39ac1 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sun, 4 Feb 2007 07:17:03 +0000 Subject: r21135: Instead of having hooks to update keytabs as an explicit thing, update them as a hook on ldb modify, via a module. This should allow the secrets.ldb to be edited by the admin, and to have things update in the on-disk keytab just as an in-memory keytab would. This isn't really a dsdb plugin, but I don't have any other good ideas about where to put it. Andrew Bartlett (This used to be commit 6ce557a1aff4754d2622be8f1c6695d9ee788d54) --- source4/auth/credentials/credentials_files.c | 85 ++++------------------------ 1 file changed, 12 insertions(+), 73 deletions(-) (limited to 'source4/auth/credentials/credentials_files.c') diff --git a/source4/auth/credentials/credentials_files.c b/source4/auth/credentials/credentials_files.c index a0ce4a2fd1..006f242de9 100644 --- a/source4/auth/credentials/credentials_files.c +++ b/source4/auth/credentials/credentials_files.c @@ -169,12 +169,12 @@ BOOL cli_credentials_parse_file(struct cli_credentials *cred, const char *file, * @retval NTSTATUS error detailing any failure */ NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred, + struct ldb_context *ldb, const char *base, const char *filter) { TALLOC_CTX *mem_ctx; - struct ldb_context *ldb; int ldb_ret; struct ldb_message **msgs; const char *attrs[] = { @@ -209,13 +209,15 @@ NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred, mem_ctx = talloc_named(cred, 0, "cli_credentials fetch machine password"); - /* Local secrets are stored in secrets.ldb */ - ldb = secrets_db_connect(mem_ctx); if (!ldb) { - /* set anonymous as the fallback, if the machine account won't work */ - cli_credentials_set_anonymous(cred); - DEBUG(1, ("Could not open secrets.ldb\n")); - return NT_STATUS_CANT_ACCESS_DOMAIN_INFO; + /* Local secrets are stored in secrets.ldb */ + ldb = secrets_db_connect(mem_ctx); + if (!ldb) { + /* set anonymous as the fallback, if the machine account won't work */ + cli_credentials_set_anonymous(cred); + DEBUG(1, ("Could not open secrets.ldb\n")); + return NT_STATUS_CANT_ACCESS_DOMAIN_INFO; + } } /* search for the secret record */ @@ -327,7 +329,7 @@ NTSTATUS cli_credentials_set_machine_account(struct cli_credentials *cred) cred->machine_account_pending = False; filter = talloc_asprintf(cred, SECRETS_PRIMARY_DOMAIN_FILTER, cli_credentials_get_domain(cred)); - return cli_credentials_set_secrets(cred, SECRETS_PRIMARY_DOMAIN_DN, + return cli_credentials_set_secrets(cred, NULL, SECRETS_PRIMARY_DOMAIN_DN, filter); } @@ -347,7 +349,7 @@ NTSTATUS cli_credentials_set_krbtgt(struct cli_credentials *cred) filter = talloc_asprintf(cred, SECRETS_KRBTGT_SEARCH, cli_credentials_get_realm(cred), cli_credentials_get_domain(cred)); - return cli_credentials_set_secrets(cred, SECRETS_PRINCIPALS_DN, + return cli_credentials_set_secrets(cred, NULL, SECRETS_PRINCIPALS_DN, filter); } @@ -369,7 +371,7 @@ NTSTATUS cli_credentials_set_stored_principal(struct cli_credentials *cred, cli_credentials_get_realm(cred), cli_credentials_get_domain(cred), serviceprincipal); - return cli_credentials_set_secrets(cred, SECRETS_PRINCIPALS_DN, + return cli_credentials_set_secrets(cred, NULL, SECRETS_PRINCIPALS_DN, filter); } @@ -388,66 +390,3 @@ void cli_credentials_set_machine_account_pending(struct cli_credentials *cred) } -NTSTATUS cli_credentials_update_all_keytabs(TALLOC_CTX *parent_ctx) -{ - TALLOC_CTX *mem_ctx; - int ldb_ret; - struct ldb_context *ldb; - struct ldb_message **msgs; - const char *attrs[] = { NULL }; - struct cli_credentials *creds; - const char *filter; - NTSTATUS status; - int i, ret; - - mem_ctx = talloc_new(parent_ctx); - if (!mem_ctx) { - return NT_STATUS_NO_MEMORY; - } - - /* Local secrets are stored in secrets.ldb */ - ldb = secrets_db_connect(mem_ctx); - if (!ldb) { - DEBUG(1, ("Could not open secrets.ldb\n")); - talloc_free(mem_ctx); - return NT_STATUS_ACCESS_DENIED; - } - - /* search for the secret record, but only of things we can - * actually update */ - ldb_ret = gendb_search(ldb, - mem_ctx, NULL, - &msgs, attrs, - "(&(objectClass=kerberosSecret)(|(secret=*)(ntPwdHash=*)))"); - if (ldb_ret == -1) { - DEBUG(1, ("Error looking for kerberos type secrets to push into a keytab:: %s", ldb_errstring(ldb))); - talloc_free(mem_ctx); - return NT_STATUS_INTERNAL_DB_CORRUPTION; - } - - for (i=0; i < ldb_ret; i++) { - /* Make a credentials structure from it */ - creds = cli_credentials_init(mem_ctx); - if (!creds) { - DEBUG(1, ("cli_credentials_init failed!")); - talloc_free(mem_ctx); - return NT_STATUS_NO_MEMORY; - } - cli_credentials_set_conf(creds); - filter = talloc_asprintf(mem_ctx, "dn=%s", ldb_dn_get_linearized(msgs[i]->dn)); - status = cli_credentials_set_secrets(creds, NULL, filter); - if (!NT_STATUS_IS_OK(status)) { - DEBUG(1, ("Failed to read secrets for keytab update for %s\n", - filter)); - continue; - } - ret = cli_credentials_update_keytab(creds); - if (ret != 0) { - DEBUG(1, ("Failed to update keytab for %s\n", - filter)); - continue; - } - } - return NT_STATUS_OK; -} - -- cgit From 41771deb299d23bb0aabb15d8f1e0858a6ea8d0b Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Tue, 13 Feb 2007 13:14:14 +0000 Subject: r21314: add more usefull debug output metze (This used to be commit a246e4bbaaab6f98f50a3c28b47d2c541af7b44a) --- source4/auth/credentials/credentials_files.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) (limited to 'source4/auth/credentials/credentials_files.c') diff --git a/source4/auth/credentials/credentials_files.c b/source4/auth/credentials/credentials_files.c index 006f242de9..2978fe16f8 100644 --- a/source4/auth/credentials/credentials_files.c +++ b/source4/auth/credentials/credentials_files.c @@ -226,15 +226,15 @@ NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred, &msgs, attrs, "%s", filter); if (ldb_ret == 0) { - DEBUG(1, ("Could not find entry to match filter: %s\n", - filter)); + DEBUG(1, ("Could not find entry to match filter: '%s' base: '%s'\n", + filter, base)); /* set anonymous as the fallback, if the machine account won't work */ cli_credentials_set_anonymous(cred); talloc_free(mem_ctx); return NT_STATUS_CANT_ACCESS_DOMAIN_INFO; } else if (ldb_ret != 1) { - DEBUG(1, ("Found more than one (%d) entry to match filter: %s\n", - ldb_ret, filter)); + DEBUG(1, ("Found more than one (%d) entry to match filter: '%s' base: '%s'\n", + ldb_ret, filter, base)); /* set anonymous as the fallback, if the machine account won't work */ cli_credentials_set_anonymous(cred); talloc_free(mem_ctx); @@ -247,8 +247,8 @@ NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred, machine_account = ldb_msg_find_attr_as_string(msgs[0], "samAccountName", NULL); if (!machine_account) { - DEBUG(1, ("Could not find 'samAccountName' in join record to domain: %s\n", - cli_credentials_get_domain(cred))); + DEBUG(1, ("Could not find 'samAccountName' in join record to domain: %s: filter: '%s' base: '%s'\n", + cli_credentials_get_domain(cred), filter, base)); /* set anonymous as the fallback, if the machine account won't work */ cli_credentials_set_anonymous(cred); talloc_free(mem_ctx); -- cgit From 3b14713f6d583a33fc2b2bb8c2c3aab6f5928630 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Thu, 15 Feb 2007 12:54:58 +0000 Subject: r21362: rename: "ntPwdHash" => "unicodePwd" "lmPwdHash" => "dBCSPwd" "sambaLMPwdHistory" => "lmPwdHistory" "sambaNTPwdHistory" => "ntPwdHistory" Note: you need to reprovision after this change! metze (This used to be commit dc4242c09c0402cbfdba912f82892df3153456ad) --- source4/auth/credentials/credentials_files.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source4/auth/credentials/credentials_files.c') diff --git a/source4/auth/credentials/credentials_files.c b/source4/auth/credentials/credentials_files.c index 2978fe16f8..023dc90407 100644 --- a/source4/auth/credentials/credentials_files.c +++ b/source4/auth/credentials/credentials_files.c @@ -184,7 +184,7 @@ NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred, "flatname", "realm", "secureChannelType", - "ntPwdHash", + "unicodePwd", "msDS-KeyVersionNumber", "saltPrincipal", "privateKeytab", @@ -264,7 +264,7 @@ NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred, } if (!password) { - const struct ldb_val *nt_password_hash = ldb_msg_find_ldb_val(msgs[0], "ntPwdHash"); + const struct ldb_val *nt_password_hash = ldb_msg_find_ldb_val(msgs[0], "unicodePwd"); struct samr_Password hash; ZERO_STRUCT(hash); if (nt_password_hash) { -- cgit From 847102c6ca17f7b7d665863b8caa1d85baef46ad Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Wed, 7 Mar 2007 04:20:10 +0000 Subject: r21736: Fix the smbclient test to do something more interesting with the last few authentication tests. Now that the tests correctly 'fail', I was able to fix the credentials subsystem to honour USER and PASSWD. To get --machine-pass working, I needed ldb to always load it's static modules, so I put this in ldb_connect(). Andrew Bartlett (This used to be commit 3430d8c072407a1c33c32229095fc9db2142b6fa) --- source4/auth/credentials/credentials_files.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source4/auth/credentials/credentials_files.c') diff --git a/source4/auth/credentials/credentials_files.c b/source4/auth/credentials/credentials_files.c index 023dc90407..fe8e9aff97 100644 --- a/source4/auth/credentials/credentials_files.c +++ b/source4/auth/credentials/credentials_files.c @@ -89,7 +89,7 @@ BOOL cli_credentials_parse_password_file(struct cli_credentials *credentials, co BOOL ret; if (fd < 0) { - fprintf(stderr, "Error opening PASSWD_FILE %s: %s\n", + fprintf(stderr, "Error opening password file %s: %s\n", file, strerror(errno)); return False; } -- cgit From 0479a2f1cbae51fcd8dbdc3c148c808421fb4d25 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Tue, 10 Jul 2007 02:07:03 +0000 Subject: r23792: convert Samba4 to GPLv3 There are still a few tidyups of old FSF addresses to come (in both s3 and s4). More commits soon. (This used to be commit fcf38a38ac691abd0fa51b89dc951a08e89fdafa) --- source4/auth/credentials/credentials_files.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) (limited to 'source4/auth/credentials/credentials_files.c') diff --git a/source4/auth/credentials/credentials_files.c b/source4/auth/credentials/credentials_files.c index fe8e9aff97..7bf94de12f 100644 --- a/source4/auth/credentials/credentials_files.c +++ b/source4/auth/credentials/credentials_files.c @@ -9,7 +9,7 @@ This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2 of the License, or + the Free Software Foundation; either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, @@ -18,8 +18,7 @@ GNU General Public License for more details. You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software - Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. + along with this program. If not, see . */ #include "includes.h" -- cgit From 362ff066903524c710c53b92aad26671c8ebaa42 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 28 Aug 2007 04:35:29 +0000 Subject: r24730: Allow secrets entries to be for service principals. Andrew Bartlett (This used to be commit 7865d10a299a84ed42de4435b7e6400d56161ac5) --- source4/auth/credentials/credentials_files.c | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) (limited to 'source4/auth/credentials/credentials_files.c') diff --git a/source4/auth/credentials/credentials_files.c b/source4/auth/credentials/credentials_files.c index 7bf94de12f..2b6bc4f9d6 100644 --- a/source4/auth/credentials/credentials_files.c +++ b/source4/auth/credentials/credentials_files.c @@ -188,6 +188,7 @@ NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred, "saltPrincipal", "privateKeytab", "krb5Keytab", + "servicePrincipalName", NULL }; @@ -246,12 +247,16 @@ NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred, machine_account = ldb_msg_find_attr_as_string(msgs[0], "samAccountName", NULL); if (!machine_account) { - DEBUG(1, ("Could not find 'samAccountName' in join record to domain: %s: filter: '%s' base: '%s'\n", - cli_credentials_get_domain(cred), filter, base)); - /* set anonymous as the fallback, if the machine account won't work */ - cli_credentials_set_anonymous(cred); - talloc_free(mem_ctx); - return NT_STATUS_CANT_ACCESS_DOMAIN_INFO; + machine_account = ldb_msg_find_attr_as_string(msgs[0], "servicePrincipalName", NULL); + + if (!machine_account) { + DEBUG(1, ("Could not find 'samAccountName' in join record to domain: %s: filter: '%s' base: '%s'\n", + cli_credentials_get_domain(cred), filter, base)); + /* set anonymous as the fallback, if the machine account won't work */ + cli_credentials_set_anonymous(cred); + talloc_free(mem_ctx); + return NT_STATUS_CANT_ACCESS_DOMAIN_INFO; + } } salt_principal = ldb_msg_find_attr_as_string(msgs[0], "saltPrincipal", NULL); -- cgit From ffeee68e4b72dd94fee57366bd8d38b8c284c3d4 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Sat, 8 Sep 2007 12:42:09 +0000 Subject: r25026: Move param/param.h out of includes.h (This used to be commit abe8349f9b4387961ff3665d8c589d61cd2edf31) --- source4/auth/credentials/credentials_files.c | 1 + 1 file changed, 1 insertion(+) (limited to 'source4/auth/credentials/credentials_files.c') diff --git a/source4/auth/credentials/credentials_files.c b/source4/auth/credentials/credentials_files.c index 2b6bc4f9d6..5770dbf057 100644 --- a/source4/auth/credentials/credentials_files.c +++ b/source4/auth/credentials/credentials_files.c @@ -29,6 +29,7 @@ #include "db_wrap.h" #include "auth/credentials/credentials.h" #include "auth/credentials/credentials_krb5.h" +#include "param/param.h" /** * Read a file descriptor, and parse it for a password (eg from a file or stdin) -- cgit From 2f3551ca7cee59d4d053cceb87abdf1da1b3a1ad Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Mon, 1 Oct 2007 18:52:55 +0000 Subject: r25446: Merge some changes I made on the way home from SFO: 2007-09-29 More higher-level passing around of lp_ctx. 2007-09-29 Fix warning. 2007-09-29 Pass loadparm contexts on a higher level. 2007-09-29 Avoid using global loadparm context. (This used to be commit 3468952e771ab31f90b6c374ade01c5550810f42) --- source4/auth/credentials/credentials_files.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source4/auth/credentials/credentials_files.c') diff --git a/source4/auth/credentials/credentials_files.c b/source4/auth/credentials/credentials_files.c index 5770dbf057..2aefb7c52f 100644 --- a/source4/auth/credentials/credentials_files.c +++ b/source4/auth/credentials/credentials_files.c @@ -308,7 +308,7 @@ NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred, } else { keytab = ldb_msg_find_attr_as_string(msgs[0], "privateKeytab", NULL); if (keytab) { - keytab = talloc_asprintf(mem_ctx, "FILE:%s", private_path(mem_ctx, keytab)); + keytab = talloc_asprintf(mem_ctx, "FILE:%s", private_path(mem_ctx, global_loadparm, keytab)); if (keytab) { cli_credentials_set_keytab_name(cred, keytab, CRED_SPECIFIED); } -- cgit From 3642f3b40d755209a843745f160a9d7962a6deca Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Sat, 6 Oct 2007 22:16:19 +0000 Subject: r25552: Convert to standard bool type. (This used to be commit b8d6b82f1248d36a0aa91a1c58d06b4f7c66d245) --- source4/auth/credentials/credentials_files.c | 32 ++++++++++++++-------------- 1 file changed, 16 insertions(+), 16 deletions(-) (limited to 'source4/auth/credentials/credentials_files.c') diff --git a/source4/auth/credentials/credentials_files.c b/source4/auth/credentials/credentials_files.c index 2aefb7c52f..1708fa5841 100644 --- a/source4/auth/credentials/credentials_files.c +++ b/source4/auth/credentials/credentials_files.c @@ -39,7 +39,7 @@ * @param obtained This enum describes how 'specified' this password is */ -BOOL cli_credentials_parse_password_fd(struct cli_credentials *credentials, +bool cli_credentials_parse_password_fd(struct cli_credentials *credentials, int fd, enum credentials_obtained obtained) { char *p; @@ -61,18 +61,18 @@ BOOL cli_credentials_parse_password_fd(struct cli_credentials *credentials, break; } else { fprintf(stderr, "Error reading password from file descriptor %d: %s\n", fd, "empty password\n"); - return False; + return false; } default: fprintf(stderr, "Error reading password from file descriptor %d: %s\n", fd, strerror(errno)); - return False; + return false; } } cli_credentials_set_password(credentials, pass, obtained); - return True; + return true; } /** @@ -83,15 +83,15 @@ BOOL cli_credentials_parse_password_fd(struct cli_credentials *credentials, * @param obtained This enum describes how 'specified' this password is */ -BOOL cli_credentials_parse_password_file(struct cli_credentials *credentials, const char *file, enum credentials_obtained obtained) +bool cli_credentials_parse_password_file(struct cli_credentials *credentials, const char *file, enum credentials_obtained obtained) { int fd = open(file, O_RDONLY, 0); - BOOL ret; + bool ret; if (fd < 0) { fprintf(stderr, "Error opening password file %s: %s\n", file, strerror(errno)); - return False; + return false; } ret = cli_credentials_parse_password_fd(credentials, fd, obtained); @@ -109,7 +109,7 @@ BOOL cli_credentials_parse_password_file(struct cli_credentials *credentials, co * @param obtained This enum describes how 'specified' this password is */ -BOOL cli_credentials_parse_file(struct cli_credentials *cred, const char *file, enum credentials_obtained obtained) +bool cli_credentials_parse_file(struct cli_credentials *cred, const char *file, enum credentials_obtained obtained) { uint16_t len = 0; char *ptr, *val, *param; @@ -122,7 +122,7 @@ BOOL cli_credentials_parse_file(struct cli_credentials *cred, const char *file, { /* fail if we can't open the credentials file */ d_printf("ERROR: Unable to open credentials file!\n"); - return False; + return false; } for (i = 0; i < numlines; i++) { @@ -158,7 +158,7 @@ BOOL cli_credentials_parse_file(struct cli_credentials *cred, const char *file, talloc_free(lines); - return True; + return true; } @@ -203,10 +203,10 @@ NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred, const char *keytab; /* ok, we are going to get it now, don't recurse back here */ - cred->machine_account_pending = False; + cred->machine_account_pending = false; /* some other parts of the system will key off this */ - cred->machine_account = True; + cred->machine_account = true; mem_ctx = talloc_named(cred, 0, "cli_credentials fetch machine password"); @@ -331,7 +331,7 @@ NTSTATUS cli_credentials_set_machine_account(struct cli_credentials *cred) /* Bleh, nasty recursion issues: We are setting a machine * account here, so we don't want the 'pending' flag around * any more */ - cred->machine_account_pending = False; + cred->machine_account_pending = false; filter = talloc_asprintf(cred, SECRETS_PRIMARY_DOMAIN_FILTER, cli_credentials_get_domain(cred)); return cli_credentials_set_secrets(cred, NULL, SECRETS_PRIMARY_DOMAIN_DN, @@ -350,7 +350,7 @@ NTSTATUS cli_credentials_set_krbtgt(struct cli_credentials *cred) /* Bleh, nasty recursion issues: We are setting a machine * account here, so we don't want the 'pending' flag around * any more */ - cred->machine_account_pending = False; + cred->machine_account_pending = false; filter = talloc_asprintf(cred, SECRETS_KRBTGT_SEARCH, cli_credentials_get_realm(cred), cli_credentials_get_domain(cred)); @@ -371,7 +371,7 @@ NTSTATUS cli_credentials_set_stored_principal(struct cli_credentials *cred, /* Bleh, nasty recursion issues: We are setting a machine * account here, so we don't want the 'pending' flag around * any more */ - cred->machine_account_pending = False; + cred->machine_account_pending = false; filter = talloc_asprintf(cred, SECRETS_PRINCIPAL_SEARCH, cli_credentials_get_realm(cred), cli_credentials_get_domain(cred), @@ -391,7 +391,7 @@ NTSTATUS cli_credentials_set_stored_principal(struct cli_credentials *cred, */ void cli_credentials_set_machine_account_pending(struct cli_credentials *cred) { - cred->machine_account_pending = True; + cred->machine_account_pending = true; } -- cgit From ca0b72a1fdb7bd965065e833df34662afef0423e Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Fri, 16 Nov 2007 20:12:00 +0100 Subject: r26003: Split up DB_WRAP, as first step in an attempt to sanitize dependencies. (This used to be commit 56dfcb4f2f8e74c9d8b2fe3a0df043781188a555) --- source4/auth/credentials/credentials_files.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source4/auth/credentials/credentials_files.c') diff --git a/source4/auth/credentials/credentials_files.c b/source4/auth/credentials/credentials_files.c index 1708fa5841..db69fc1cb4 100644 --- a/source4/auth/credentials/credentials_files.c +++ b/source4/auth/credentials/credentials_files.c @@ -26,7 +26,7 @@ #include "librpc/gen_ndr/samr.h" /* for struct samrPassword */ #include "param/secrets.h" #include "system/filesys.h" -#include "db_wrap.h" +#include "util/util_ldb.h" #include "auth/credentials/credentials.h" #include "auth/credentials/credentials_krb5.h" #include "param/param.h" -- cgit From 991ee1aff092187bcfdd0ee1d9eb15361f73d5f7 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Thu, 29 Nov 2007 16:01:16 +0100 Subject: r26205: Pass loadparm_context to secrets_db_connect() rather than using global context. (This used to be commit 5718b6cfee86ddfc9cf405c98c68ba848df4d9d7) --- source4/auth/credentials/credentials_files.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source4/auth/credentials/credentials_files.c') diff --git a/source4/auth/credentials/credentials_files.c b/source4/auth/credentials/credentials_files.c index db69fc1cb4..2d850956e2 100644 --- a/source4/auth/credentials/credentials_files.c +++ b/source4/auth/credentials/credentials_files.c @@ -212,7 +212,7 @@ NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred, if (!ldb) { /* Local secrets are stored in secrets.ldb */ - ldb = secrets_db_connect(mem_ctx); + ldb = secrets_db_connect(mem_ctx, global_loadparm); if (!ldb) { /* set anonymous as the fallback, if the machine account won't work */ cli_credentials_set_anonymous(cred); -- cgit From cc04f143dcd35fb67884e385ffd3e6ed2d32a4c2 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Sun, 2 Dec 2007 19:04:33 +0100 Subject: r26229: Set loadparm context as opaque pointer in ldb, remove more uses of global_loadparm. (This used to be commit 37d05fdc7b0e6b3211ba6ae56b1b5da30a6a392a) --- source4/auth/credentials/credentials_files.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) (limited to 'source4/auth/credentials/credentials_files.c') diff --git a/source4/auth/credentials/credentials_files.c b/source4/auth/credentials/credentials_files.c index 2d850956e2..f3f73f7fb1 100644 --- a/source4/auth/credentials/credentials_files.c +++ b/source4/auth/credentials/credentials_files.c @@ -169,6 +169,7 @@ bool cli_credentials_parse_file(struct cli_credentials *cred, const char *file, * @retval NTSTATUS error detailing any failure */ NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred, + struct loadparm_context *lp_ctx, struct ldb_context *ldb, const char *base, const char *filter) @@ -212,7 +213,7 @@ NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred, if (!ldb) { /* Local secrets are stored in secrets.ldb */ - ldb = secrets_db_connect(mem_ctx, global_loadparm); + ldb = secrets_db_connect(mem_ctx, lp_ctx); if (!ldb) { /* set anonymous as the fallback, if the machine account won't work */ cli_credentials_set_anonymous(cred); @@ -308,7 +309,7 @@ NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred, } else { keytab = ldb_msg_find_attr_as_string(msgs[0], "privateKeytab", NULL); if (keytab) { - keytab = talloc_asprintf(mem_ctx, "FILE:%s", private_path(mem_ctx, global_loadparm, keytab)); + keytab = talloc_asprintf(mem_ctx, "FILE:%s", private_path(mem_ctx, lp_ctx, keytab)); if (keytab) { cli_credentials_set_keytab_name(cred, keytab, CRED_SPECIFIED); } @@ -334,7 +335,7 @@ NTSTATUS cli_credentials_set_machine_account(struct cli_credentials *cred) cred->machine_account_pending = false; filter = talloc_asprintf(cred, SECRETS_PRIMARY_DOMAIN_FILTER, cli_credentials_get_domain(cred)); - return cli_credentials_set_secrets(cred, NULL, SECRETS_PRIMARY_DOMAIN_DN, + return cli_credentials_set_secrets(cred, global_loadparm, NULL, SECRETS_PRIMARY_DOMAIN_DN, filter); } @@ -354,7 +355,7 @@ NTSTATUS cli_credentials_set_krbtgt(struct cli_credentials *cred) filter = talloc_asprintf(cred, SECRETS_KRBTGT_SEARCH, cli_credentials_get_realm(cred), cli_credentials_get_domain(cred)); - return cli_credentials_set_secrets(cred, NULL, SECRETS_PRINCIPALS_DN, + return cli_credentials_set_secrets(cred, global_loadparm, NULL, SECRETS_PRINCIPALS_DN, filter); } @@ -376,7 +377,7 @@ NTSTATUS cli_credentials_set_stored_principal(struct cli_credentials *cred, cli_credentials_get_realm(cred), cli_credentials_get_domain(cred), serviceprincipal); - return cli_credentials_set_secrets(cred, NULL, SECRETS_PRINCIPALS_DN, + return cli_credentials_set_secrets(cred, global_loadparm, NULL, SECRETS_PRINCIPALS_DN, filter); } -- cgit From da0f222f432c4fc8bf5da80baf849ca32b315ca0 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Mon, 3 Dec 2007 23:33:16 +0100 Subject: r26271: Remove some more uses of global_loadparm. (This used to be commit e9875fcd56de0748ed78d7e3c9cdb4919cd96d3c) --- source4/auth/credentials/credentials_files.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) (limited to 'source4/auth/credentials/credentials_files.c') diff --git a/source4/auth/credentials/credentials_files.c b/source4/auth/credentials/credentials_files.c index f3f73f7fb1..1f4b467371 100644 --- a/source4/auth/credentials/credentials_files.c +++ b/source4/auth/credentials/credentials_files.c @@ -335,7 +335,8 @@ NTSTATUS cli_credentials_set_machine_account(struct cli_credentials *cred) cred->machine_account_pending = false; filter = talloc_asprintf(cred, SECRETS_PRIMARY_DOMAIN_FILTER, cli_credentials_get_domain(cred)); - return cli_credentials_set_secrets(cred, global_loadparm, NULL, SECRETS_PRIMARY_DOMAIN_DN, + return cli_credentials_set_secrets(cred, global_loadparm, NULL, + SECRETS_PRIMARY_DOMAIN_DN, filter); } @@ -355,7 +356,8 @@ NTSTATUS cli_credentials_set_krbtgt(struct cli_credentials *cred) filter = talloc_asprintf(cred, SECRETS_KRBTGT_SEARCH, cli_credentials_get_realm(cred), cli_credentials_get_domain(cred)); - return cli_credentials_set_secrets(cred, global_loadparm, NULL, SECRETS_PRINCIPALS_DN, + return cli_credentials_set_secrets(cred, global_loadparm, NULL, + SECRETS_PRINCIPALS_DN, filter); } @@ -377,8 +379,8 @@ NTSTATUS cli_credentials_set_stored_principal(struct cli_credentials *cred, cli_credentials_get_realm(cred), cli_credentials_get_domain(cred), serviceprincipal); - return cli_credentials_set_secrets(cred, global_loadparm, NULL, SECRETS_PRINCIPALS_DN, - filter); + return cli_credentials_set_secrets(cred, global_loadparm, NULL, + SECRETS_PRINCIPALS_DN, filter); } /** -- cgit From 509e82e402d64c79f27c9a10d75b100a1ac5fefa Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Mon, 3 Dec 2007 23:33:22 +0100 Subject: r26272: Remove global_loadparm in some more places. (This used to be commit 1ab76ecc5311fa863e5d04899b6f110899818f55) --- source4/auth/credentials/credentials_files.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'source4/auth/credentials/credentials_files.c') diff --git a/source4/auth/credentials/credentials_files.c b/source4/auth/credentials/credentials_files.c index 1f4b467371..e7435f56f8 100644 --- a/source4/auth/credentials/credentials_files.c +++ b/source4/auth/credentials/credentials_files.c @@ -346,7 +346,8 @@ NTSTATUS cli_credentials_set_machine_account(struct cli_credentials *cred) * @param cred Credentials structure to fill in * @retval NTSTATUS error detailing any failure */ -NTSTATUS cli_credentials_set_krbtgt(struct cli_credentials *cred) +NTSTATUS cli_credentials_set_krbtgt(struct cli_credentials *cred, + struct loadparm_context *lp_ctx) { char *filter; /* Bleh, nasty recursion issues: We are setting a machine @@ -356,7 +357,7 @@ NTSTATUS cli_credentials_set_krbtgt(struct cli_credentials *cred) filter = talloc_asprintf(cred, SECRETS_KRBTGT_SEARCH, cli_credentials_get_realm(cred), cli_credentials_get_domain(cred)); - return cli_credentials_set_secrets(cred, global_loadparm, NULL, + return cli_credentials_set_secrets(cred, lp_ctx, NULL, SECRETS_PRINCIPALS_DN, filter); } -- cgit From a2cea02584256e2cf59da5420e8e080e70c66939 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Thu, 13 Dec 2007 22:46:17 +0100 Subject: r26430: require explicit specification of loadparm context. (This used to be commit 1b947fe0e6e16318e5a8127bb4932d6b5d20bcf6) --- source4/auth/credentials/credentials_files.c | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) (limited to 'source4/auth/credentials/credentials_files.c') diff --git a/source4/auth/credentials/credentials_files.c b/source4/auth/credentials/credentials_files.c index e7435f56f8..c1001c9622 100644 --- a/source4/auth/credentials/credentials_files.c +++ b/source4/auth/credentials/credentials_files.c @@ -305,13 +305,13 @@ NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred, * (chewing CPU time) from the password */ keytab = ldb_msg_find_attr_as_string(msgs[0], "krb5Keytab", NULL); if (keytab) { - cli_credentials_set_keytab_name(cred, keytab, CRED_SPECIFIED); + cli_credentials_set_keytab_name(cred, lp_ctx, keytab, CRED_SPECIFIED); } else { keytab = ldb_msg_find_attr_as_string(msgs[0], "privateKeytab", NULL); if (keytab) { keytab = talloc_asprintf(mem_ctx, "FILE:%s", private_path(mem_ctx, lp_ctx, keytab)); if (keytab) { - cli_credentials_set_keytab_name(cred, keytab, CRED_SPECIFIED); + cli_credentials_set_keytab_name(cred, lp_ctx, keytab, CRED_SPECIFIED); } } } @@ -326,7 +326,8 @@ NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred, * @param cred Credentials structure to fill in * @retval NTSTATUS error detailing any failure */ -NTSTATUS cli_credentials_set_machine_account(struct cli_credentials *cred) +NTSTATUS cli_credentials_set_machine_account(struct cli_credentials *cred, + struct loadparm_context *lp_ctx) { char *filter; /* Bleh, nasty recursion issues: We are setting a machine @@ -335,7 +336,7 @@ NTSTATUS cli_credentials_set_machine_account(struct cli_credentials *cred) cred->machine_account_pending = false; filter = talloc_asprintf(cred, SECRETS_PRIMARY_DOMAIN_FILTER, cli_credentials_get_domain(cred)); - return cli_credentials_set_secrets(cred, global_loadparm, NULL, + return cli_credentials_set_secrets(cred, lp_ctx, NULL, SECRETS_PRIMARY_DOMAIN_DN, filter); } @@ -369,6 +370,7 @@ NTSTATUS cli_credentials_set_krbtgt(struct cli_credentials *cred, * @retval NTSTATUS error detailing any failure */ NTSTATUS cli_credentials_set_stored_principal(struct cli_credentials *cred, + struct loadparm_context *lp_ctx, const char *serviceprincipal) { char *filter; @@ -380,7 +382,7 @@ NTSTATUS cli_credentials_set_stored_principal(struct cli_credentials *cred, cli_credentials_get_realm(cred), cli_credentials_get_domain(cred), serviceprincipal); - return cli_credentials_set_secrets(cred, global_loadparm, NULL, + return cli_credentials_set_secrets(cred, lp_ctx, NULL, SECRETS_PRINCIPALS_DN, filter); } @@ -393,9 +395,11 @@ NTSTATUS cli_credentials_set_stored_principal(struct cli_credentials *cred, * than during, popt processing. * */ -void cli_credentials_set_machine_account_pending(struct cli_credentials *cred) +void cli_credentials_set_machine_account_pending(struct cli_credentials *cred, + struct loadparm_context *lp_ctx) { cred->machine_account_pending = true; + cred->machine_account_pending_lp_ctx = lp_ctx; } -- cgit From afe3e8172ddaa5e4aa811faceecda4f943d6e2ef Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Wed, 2 Apr 2008 04:53:27 +0200 Subject: Install public header files again and include required prototypes. (This used to be commit 47ffbbf67435904754469544390b67d34c958343) --- source4/auth/credentials/credentials_files.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) (limited to 'source4/auth/credentials/credentials_files.c') diff --git a/source4/auth/credentials/credentials_files.c b/source4/auth/credentials/credentials_files.c index c1001c9622..8bcbc65575 100644 --- a/source4/auth/credentials/credentials_files.c +++ b/source4/auth/credentials/credentials_files.c @@ -39,7 +39,7 @@ * @param obtained This enum describes how 'specified' this password is */ -bool cli_credentials_parse_password_fd(struct cli_credentials *credentials, +_PUBLIC_ bool cli_credentials_parse_password_fd(struct cli_credentials *credentials, int fd, enum credentials_obtained obtained) { char *p; @@ -83,7 +83,7 @@ bool cli_credentials_parse_password_fd(struct cli_credentials *credentials, * @param obtained This enum describes how 'specified' this password is */ -bool cli_credentials_parse_password_file(struct cli_credentials *credentials, const char *file, enum credentials_obtained obtained) +_PUBLIC_ bool cli_credentials_parse_password_file(struct cli_credentials *credentials, const char *file, enum credentials_obtained obtained) { int fd = open(file, O_RDONLY, 0); bool ret; @@ -109,7 +109,7 @@ bool cli_credentials_parse_password_file(struct cli_credentials *credentials, co * @param obtained This enum describes how 'specified' this password is */ -bool cli_credentials_parse_file(struct cli_credentials *cred, const char *file, enum credentials_obtained obtained) +_PUBLIC_ bool cli_credentials_parse_file(struct cli_credentials *cred, const char *file, enum credentials_obtained obtained) { uint16_t len = 0; char *ptr, *val, *param; @@ -168,7 +168,7 @@ bool cli_credentials_parse_file(struct cli_credentials *cred, const char *file, * @param cred Credentials structure to fill in * @retval NTSTATUS error detailing any failure */ -NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred, +_PUBLIC_ NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred, struct loadparm_context *lp_ctx, struct ldb_context *ldb, const char *base, @@ -326,7 +326,7 @@ NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred, * @param cred Credentials structure to fill in * @retval NTSTATUS error detailing any failure */ -NTSTATUS cli_credentials_set_machine_account(struct cli_credentials *cred, +_PUBLIC_ NTSTATUS cli_credentials_set_machine_account(struct cli_credentials *cred, struct loadparm_context *lp_ctx) { char *filter; @@ -369,7 +369,7 @@ NTSTATUS cli_credentials_set_krbtgt(struct cli_credentials *cred, * @param cred Credentials structure to fill in * @retval NTSTATUS error detailing any failure */ -NTSTATUS cli_credentials_set_stored_principal(struct cli_credentials *cred, +_PUBLIC_ NTSTATUS cli_credentials_set_stored_principal(struct cli_credentials *cred, struct loadparm_context *lp_ctx, const char *serviceprincipal) { @@ -395,7 +395,7 @@ NTSTATUS cli_credentials_set_stored_principal(struct cli_credentials *cred, * than during, popt processing. * */ -void cli_credentials_set_machine_account_pending(struct cli_credentials *cred, +_PUBLIC_ void cli_credentials_set_machine_account_pending(struct cli_credentials *cred, struct loadparm_context *lp_ctx) { cred->machine_account_pending = true; -- cgit From 4c449fe95f20676553b04a6028310191b4a2a32a Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sat, 5 Apr 2008 21:39:26 +1100 Subject: Extend credentials python API to include set_machine_account. Andrew Bartlett (This used to be commit 88b7a3980c7be90ea0099a3ecf08ad00fa89ea1a) --- source4/auth/credentials/credentials_files.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source4/auth/credentials/credentials_files.c') diff --git a/source4/auth/credentials/credentials_files.c b/source4/auth/credentials/credentials_files.c index 8bcbc65575..1bbdf8a5ad 100644 --- a/source4/auth/credentials/credentials_files.c +++ b/source4/auth/credentials/credentials_files.c @@ -327,7 +327,7 @@ _PUBLIC_ NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred, * @retval NTSTATUS error detailing any failure */ _PUBLIC_ NTSTATUS cli_credentials_set_machine_account(struct cli_credentials *cred, - struct loadparm_context *lp_ctx) + struct loadparm_context *lp_ctx) { char *filter; /* Bleh, nasty recursion issues: We are setting a machine -- cgit From 1efbd5fbf6b0f606ed29a763e2adfa6f99c6beac Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Thu, 17 Apr 2008 01:03:18 +0200 Subject: Remove event context tracking from the credentials struct. (This used to be commit 4d7fc946b2ec50e774689c9036423b6feef99b8e) --- source4/auth/credentials/credentials_files.c | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) (limited to 'source4/auth/credentials/credentials_files.c') diff --git a/source4/auth/credentials/credentials_files.c b/source4/auth/credentials/credentials_files.c index 1bbdf8a5ad..ab76ea2cde 100644 --- a/source4/auth/credentials/credentials_files.c +++ b/source4/auth/credentials/credentials_files.c @@ -30,6 +30,7 @@ #include "auth/credentials/credentials.h" #include "auth/credentials/credentials_krb5.h" #include "param/param.h" +#include "lib/events/events.h" /** * Read a file descriptor, and parse it for a password (eg from a file or stdin) @@ -169,6 +170,7 @@ _PUBLIC_ bool cli_credentials_parse_file(struct cli_credentials *cred, const cha * @retval NTSTATUS error detailing any failure */ _PUBLIC_ NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred, + struct event_context *event_ctx, struct loadparm_context *lp_ctx, struct ldb_context *ldb, const char *base, @@ -305,13 +307,13 @@ _PUBLIC_ NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred, * (chewing CPU time) from the password */ keytab = ldb_msg_find_attr_as_string(msgs[0], "krb5Keytab", NULL); if (keytab) { - cli_credentials_set_keytab_name(cred, lp_ctx, keytab, CRED_SPECIFIED); + cli_credentials_set_keytab_name(cred, event_ctx, lp_ctx, keytab, CRED_SPECIFIED); } else { keytab = ldb_msg_find_attr_as_string(msgs[0], "privateKeytab", NULL); if (keytab) { keytab = talloc_asprintf(mem_ctx, "FILE:%s", private_path(mem_ctx, lp_ctx, keytab)); if (keytab) { - cli_credentials_set_keytab_name(cred, lp_ctx, keytab, CRED_SPECIFIED); + cli_credentials_set_keytab_name(cred, event_ctx, lp_ctx, keytab, CRED_SPECIFIED); } } } @@ -336,7 +338,7 @@ _PUBLIC_ NTSTATUS cli_credentials_set_machine_account(struct cli_credentials *cr cred->machine_account_pending = false; filter = talloc_asprintf(cred, SECRETS_PRIMARY_DOMAIN_FILTER, cli_credentials_get_domain(cred)); - return cli_credentials_set_secrets(cred, lp_ctx, NULL, + return cli_credentials_set_secrets(cred, event_context_find(cred), lp_ctx, NULL, SECRETS_PRIMARY_DOMAIN_DN, filter); } @@ -348,6 +350,7 @@ _PUBLIC_ NTSTATUS cli_credentials_set_machine_account(struct cli_credentials *cr * @retval NTSTATUS error detailing any failure */ NTSTATUS cli_credentials_set_krbtgt(struct cli_credentials *cred, + struct event_context *event_ctx, struct loadparm_context *lp_ctx) { char *filter; @@ -358,7 +361,7 @@ NTSTATUS cli_credentials_set_krbtgt(struct cli_credentials *cred, filter = talloc_asprintf(cred, SECRETS_KRBTGT_SEARCH, cli_credentials_get_realm(cred), cli_credentials_get_domain(cred)); - return cli_credentials_set_secrets(cred, lp_ctx, NULL, + return cli_credentials_set_secrets(cred, event_ctx, lp_ctx, NULL, SECRETS_PRINCIPALS_DN, filter); } @@ -370,6 +373,7 @@ NTSTATUS cli_credentials_set_krbtgt(struct cli_credentials *cred, * @retval NTSTATUS error detailing any failure */ _PUBLIC_ NTSTATUS cli_credentials_set_stored_principal(struct cli_credentials *cred, + struct event_context *event_ctx, struct loadparm_context *lp_ctx, const char *serviceprincipal) { @@ -382,7 +386,7 @@ _PUBLIC_ NTSTATUS cli_credentials_set_stored_principal(struct cli_credentials *c cli_credentials_get_realm(cred), cli_credentials_get_domain(cred), serviceprincipal); - return cli_credentials_set_secrets(cred, lp_ctx, NULL, + return cli_credentials_set_secrets(cred, event_ctx, lp_ctx, NULL, SECRETS_PRINCIPALS_DN, filter); } -- cgit From 929adc9efa5cf985f0585214d30d18521aa1a821 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Sat, 14 Jun 2008 11:24:17 -0400 Subject: Make up the right dependencies now that ldb depends on libevents (This used to be commit 3b8eec7ca334528cad3cdcd5e3fc5ee555d8d0e0) --- source4/auth/credentials/credentials_files.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'source4/auth/credentials/credentials_files.c') diff --git a/source4/auth/credentials/credentials_files.c b/source4/auth/credentials/credentials_files.c index ab76ea2cde..05b0bf56a8 100644 --- a/source4/auth/credentials/credentials_files.c +++ b/source4/auth/credentials/credentials_files.c @@ -22,6 +22,7 @@ */ #include "includes.h" +#include "lib/events/events.h" #include "lib/ldb/include/ldb.h" #include "librpc/gen_ndr/samr.h" /* for struct samrPassword */ #include "param/secrets.h" @@ -215,7 +216,7 @@ _PUBLIC_ NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred, if (!ldb) { /* Local secrets are stored in secrets.ldb */ - ldb = secrets_db_connect(mem_ctx, lp_ctx); + ldb = secrets_db_connect(mem_ctx, event_ctx, lp_ctx); if (!ldb) { /* set anonymous as the fallback, if the machine account won't work */ cli_credentials_set_anonymous(cred); -- cgit From f5d18f4d241907950e079dcbfe1c724358187ec0 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 15 Jul 2008 15:05:41 +1000 Subject: Allow ldap credentials to be (optionally) stored in secrets.ldb This includes a simple bind DN, or SASL credentials. The error messages are reworked as on systems without an LDAP backend, we will fail to find this record very often. Andrew Bartlett (This used to be commit 95825ae6d5e9d9846f3a7505a81ebe603826227e) --- source4/auth/credentials/credentials_files.c | 44 +++++++++++++++++++++------- 1 file changed, 33 insertions(+), 11 deletions(-) (limited to 'source4/auth/credentials/credentials_files.c') diff --git a/source4/auth/credentials/credentials_files.c b/source4/auth/credentials/credentials_files.c index 05b0bf56a8..bba3fdc308 100644 --- a/source4/auth/credentials/credentials_files.c +++ b/source4/auth/credentials/credentials_files.c @@ -194,6 +194,7 @@ _PUBLIC_ NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred, "privateKeytab", "krb5Keytab", "servicePrincipalName", + "ldapBindDn", NULL }; @@ -221,6 +222,7 @@ _PUBLIC_ NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred, /* set anonymous as the fallback, if the machine account won't work */ cli_credentials_set_anonymous(cred); DEBUG(1, ("Could not open secrets.ldb\n")); + talloc_free(mem_ctx); return NT_STATUS_CANT_ACCESS_DOMAIN_INFO; } } @@ -255,12 +257,15 @@ _PUBLIC_ NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred, machine_account = ldb_msg_find_attr_as_string(msgs[0], "servicePrincipalName", NULL); if (!machine_account) { - DEBUG(1, ("Could not find 'samAccountName' in join record to domain: %s: filter: '%s' base: '%s'\n", - cli_credentials_get_domain(cred), filter, base)); - /* set anonymous as the fallback, if the machine account won't work */ - cli_credentials_set_anonymous(cred); - talloc_free(mem_ctx); - return NT_STATUS_CANT_ACCESS_DOMAIN_INFO; + const char *ldap_bind_dn = ldb_msg_find_attr_as_string(msgs[0], "ldapBindDn", NULL); + if (!ldap_bind_dn) { + DEBUG(5, ("(normal if no LDAP backend required) Could not find 'samAccountName', 'servicePrincipalName' or 'ldapBindDn' in secrets record: filter: '%s' base: '%s'\n", + filter, base)); + /* set anonymous as the fallback, if the machine account won't work */ + cli_credentials_set_anonymous(cred); + talloc_free(mem_ctx); + return NT_STATUS_CANT_ACCESS_DOMAIN_INFO; + } } } @@ -299,7 +304,9 @@ _PUBLIC_ NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred, cli_credentials_set_realm(cred, realm, CRED_SPECIFIED); } - cli_credentials_set_username(cred, machine_account, CRED_SPECIFIED); + if (machine_account) { + cli_credentials_set_username(cred, machine_account, CRED_SPECIFIED); + } cli_credentials_set_kvno(cred, ldb_msg_find_attr_as_int(msgs[0], "msDS-KeyVersionNumber", 0)); @@ -332,6 +339,7 @@ _PUBLIC_ NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred, _PUBLIC_ NTSTATUS cli_credentials_set_machine_account(struct cli_credentials *cred, struct loadparm_context *lp_ctx) { + NTSTATUS status; char *filter; /* Bleh, nasty recursion issues: We are setting a machine * account here, so we don't want the 'pending' flag around @@ -339,9 +347,13 @@ _PUBLIC_ NTSTATUS cli_credentials_set_machine_account(struct cli_credentials *cr cred->machine_account_pending = false; filter = talloc_asprintf(cred, SECRETS_PRIMARY_DOMAIN_FILTER, cli_credentials_get_domain(cred)); - return cli_credentials_set_secrets(cred, event_context_find(cred), lp_ctx, NULL, + status = cli_credentials_set_secrets(cred, event_context_find(cred), lp_ctx, NULL, SECRETS_PRIMARY_DOMAIN_DN, filter); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(1, ("Could not find machine account in secrets database: %s", nt_errstr(status))); + } + return status; } /** @@ -354,6 +366,7 @@ NTSTATUS cli_credentials_set_krbtgt(struct cli_credentials *cred, struct event_context *event_ctx, struct loadparm_context *lp_ctx) { + NTSTATUS status; char *filter; /* Bleh, nasty recursion issues: We are setting a machine * account here, so we don't want the 'pending' flag around @@ -362,13 +375,17 @@ NTSTATUS cli_credentials_set_krbtgt(struct cli_credentials *cred, filter = talloc_asprintf(cred, SECRETS_KRBTGT_SEARCH, cli_credentials_get_realm(cred), cli_credentials_get_domain(cred)); - return cli_credentials_set_secrets(cred, event_ctx, lp_ctx, NULL, + status = cli_credentials_set_secrets(cred, event_ctx, lp_ctx, NULL, SECRETS_PRINCIPALS_DN, filter); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(1, ("Could not find krbtgt (master Kerberos) account in secrets database: %s", nt_errstr(status))); + } + return status; } /** - * Fill in credentials for the machine trust account, from the secrets database. + * Fill in credentials for a particular prinicpal, from the secrets database. * * @param cred Credentials structure to fill in * @retval NTSTATUS error detailing any failure @@ -378,6 +395,7 @@ _PUBLIC_ NTSTATUS cli_credentials_set_stored_principal(struct cli_credentials *c struct loadparm_context *lp_ctx, const char *serviceprincipal) { + NTSTATUS status; char *filter; /* Bleh, nasty recursion issues: We are setting a machine * account here, so we don't want the 'pending' flag around @@ -387,8 +405,12 @@ _PUBLIC_ NTSTATUS cli_credentials_set_stored_principal(struct cli_credentials *c cli_credentials_get_realm(cred), cli_credentials_get_domain(cred), serviceprincipal); - return cli_credentials_set_secrets(cred, event_ctx, lp_ctx, NULL, + status = cli_credentials_set_secrets(cred, event_ctx, lp_ctx, NULL, SECRETS_PRINCIPALS_DN, filter); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(1, ("Could not find %s principal in secrets database: %s", serviceprincipal, nt_errstr(status))); + } + return status; } /** -- cgit From 63d91e9ab0ecc1e80edff27ae09b249c68453106 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 15 Jul 2008 19:31:37 +1000 Subject: Kill of some bogus debugs for the world who does not use the LDAP backend (This used to be commit 5bde586bdb4a1523a62a764b9ff292a4a8cee4fe) --- source4/auth/credentials/credentials_files.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'source4/auth/credentials/credentials_files.c') diff --git a/source4/auth/credentials/credentials_files.c b/source4/auth/credentials/credentials_files.c index bba3fdc308..6c3bb2531e 100644 --- a/source4/auth/credentials/credentials_files.c +++ b/source4/auth/credentials/credentials_files.c @@ -233,14 +233,14 @@ _PUBLIC_ NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred, &msgs, attrs, "%s", filter); if (ldb_ret == 0) { - DEBUG(1, ("Could not find entry to match filter: '%s' base: '%s'\n", + DEBUG(5, ("(normal if no LDAP backend required) Could not find entry to match filter: '%s' base: '%s'\n", filter, base)); /* set anonymous as the fallback, if the machine account won't work */ cli_credentials_set_anonymous(cred); talloc_free(mem_ctx); return NT_STATUS_CANT_ACCESS_DOMAIN_INFO; } else if (ldb_ret != 1) { - DEBUG(1, ("Found more than one (%d) entry to match filter: '%s' base: '%s'\n", + DEBUG(5, ("Found more than one (%d) entry to match filter: '%s' base: '%s'\n", ldb_ret, filter, base)); /* set anonymous as the fallback, if the machine account won't work */ cli_credentials_set_anonymous(cred); @@ -259,7 +259,7 @@ _PUBLIC_ NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred, if (!machine_account) { const char *ldap_bind_dn = ldb_msg_find_attr_as_string(msgs[0], "ldapBindDn", NULL); if (!ldap_bind_dn) { - DEBUG(5, ("(normal if no LDAP backend required) Could not find 'samAccountName', 'servicePrincipalName' or 'ldapBindDn' in secrets record: filter: '%s' base: '%s'\n", + DEBUG(1, ("Could not find 'samAccountName', 'servicePrincipalName' or 'ldapBindDn' in secrets record: filter: '%s' base: '%s'\n", filter, base)); /* set anonymous as the fallback, if the machine account won't work */ cli_credentials_set_anonymous(cred); -- cgit