The branch, master has been updated
via dff29e4 auth/credentials: Look in the secrets.tdb for the machine
account
via 6d24c89 s4-param: Use a unique header name
via 4b61c48 s3-secrets: Use C99 types
from 726ecf6 Fix bug #9016 - Connection to outbound trusted domain goes
offline.
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit dff29e4aee5f6adda32e5a0905d3c46e810feb27
Author: Andrew Bartlett <abart...@samba.org>
Date: Sat Jul 14 22:23:41 2012 +1000
auth/credentials: Look in the secrets.tdb for the machine account
This is for use with the -P/--machine-pass option.
Andrew Bartlett
Autobuild-User(master): Andrew Bartlett <abart...@samba.org>
Autobuild-Date(master): Sun Jul 15 05:41:28 CEST 2012 on sn-devel-104
commit 6d24c899db76161a6f8d092b6fae054c6e663432
Author: Andrew Bartlett <abart...@samba.org>
Date: Sat Jul 14 22:22:37 2012 +1000
s4-param: Use a unique header name
commit 4b61c4891a309172057caf058c39931fe752bd65
Author: Andrew Bartlett <abart...@samba.org>
Date: Sat Jul 14 22:18:29 2012 +1000
s3-secrets: Use C99 types
-----------------------------------------------------------------------
Summary of changes:
auth/credentials/credentials_secrets.c | 51 ++++++++++++++++++++++++++++-
auth/credentials/wscript_build | 2 +-
source3/include/secrets.h | 10 +++---
source3/passdb/machine_account_secrets.c | 12 +++---
source4/param/secrets.h | 6 ++--
5 files changed, 64 insertions(+), 17 deletions(-)
Changeset truncated at 500 lines:
diff --git a/auth/credentials/credentials_secrets.c
b/auth/credentials/credentials_secrets.c
index bc08d9d..8206173 100644
--- a/auth/credentials/credentials_secrets.c
+++ b/auth/credentials/credentials_secrets.c
@@ -34,6 +34,11 @@
#include "param/param.h"
#include "lib/events/events.h"
#include "dsdb/samdb/samdb.h"
+#include "source3/include/secrets.h"
+#include "dbwrap/dbwrap.h"
+#include "dbwrap/dbwrap_open.h"
+#include "lib/util/util_tdb.h"
+
/**
* Fill in credentials for the machine trust account, from the secrets
database.
@@ -197,17 +202,59 @@ _PUBLIC_ NTSTATUS
cli_credentials_set_machine_account(struct cli_credentials *cr
NTSTATUS status;
char *filter;
char *error_string;
+ const char *domain;
/* Bleh, nasty recursion issues: We are setting a machine
* account here, so we don't want the 'pending' flag around
* any more */
cred->machine_account_pending = false;
+
+ /* We have to do this, as the fallback in
+ * cli_credentials_set_secrets is to run as anonymous, so the domain is
wiped */
+ domain = cli_credentials_get_domain(cred);
filter = talloc_asprintf(cred, SECRETS_PRIMARY_DOMAIN_FILTER,
- cli_credentials_get_domain(cred));
+ domain);
status = cli_credentials_set_secrets(cred, lp_ctx, NULL,
SECRETS_PRIMARY_DOMAIN_DN,
filter, &error_string);
+ if (NT_STATUS_EQUAL(NT_STATUS_CANT_ACCESS_DOMAIN_INFO, status)
+ || NT_STATUS_EQUAL(NT_STATUS_NOT_FOUND, status)) {
+ TDB_DATA dbuf;
+ char *secrets_tdb = lpcfg_private_path(cred, lp_ctx,
"secrets.tdb");
+ struct db_context *db_ctx = dbwrap_local_open(cred, lp_ctx,
secrets_tdb, 0,
+ TDB_DEFAULT,
O_RDWR, 0600,
+
DBWRAP_LOCK_ORDER_1);
+ if (db_ctx) {
+ char *keystr;
+ char *keystr_upper;
+ keystr = talloc_asprintf(cred, "%s/%s",
+ SECRETS_MACHINE_PASSWORD,
+ domain);
+ keystr_upper = strupper_talloc(cred, keystr);
+ TALLOC_FREE(keystr);
+ status = dbwrap_fetch(db_ctx, cred,
string_tdb_data(keystr_upper),
+ &dbuf);
+
+ if (NT_STATUS_IS_OK(status)) {
+ char *machine_account = talloc_asprintf(cred,
"%s$", lpcfg_netbios_name(lp_ctx));
+ cli_credentials_set_password(cred, (const char
*)dbuf.dptr, CRED_SPECIFIED);
+ cli_credentials_set_domain(cred, domain,
CRED_SPECIFIED);
+ cli_credentials_set_username(cred,
machine_account, CRED_SPECIFIED);
+ TALLOC_FREE(machine_account);
+ TALLOC_FREE(dbuf.dptr);
+ } else {
+ error_string = talloc_asprintf(cred,
+ "Failed to fetch
machine account password from "
+ "secrets.ldb: %s
and failed to fetch %s from %s",
+ error_string,
keystr_upper, secrets_tdb);
+ }
+ TALLOC_FREE(keystr_upper);
+ TALLOC_FREE(secrets_tdb);
+ }
+ }
+
if (!NT_STATUS_IS_OK(status)) {
- DEBUG(1, ("Could not find machine account in secrets database:
%s: %s\n", nt_errstr(status), error_string));
+ DEBUG(1, ("Could not find machine account in secrets database:
%s: %s\n",
+ error_string, nt_errstr(status)));
talloc_free(error_string);
}
return status;
diff --git a/auth/credentials/wscript_build b/auth/credentials/wscript_build
index a7936e9..0b2aec2 100755
--- a/auth/credentials/wscript_build
+++ b/auth/credentials/wscript_build
@@ -17,7 +17,7 @@ bld.SAMBA_SUBSYSTEM('CREDENTIALS_KRB5',
bld.SAMBA_SUBSYSTEM('CREDENTIALS_SECRETS',
source='credentials_secrets.c',
- deps='CREDENTIALS_KRB5 CREDENTIALS_NTLM ldb SECRETS samdb-common',
+ deps='CREDENTIALS_KRB5 CREDENTIALS_NTLM ldb SECRETS samdb-common
dbwrap',
)
bld.SAMBA_SUBSYSTEM('CREDENTIALS_NTLM',
diff --git a/source3/include/secrets.h b/source3/include/secrets.h
index 5b778d1..fa215ff 100644
--- a/source3/include/secrets.h
+++ b/source3/include/secrets.h
@@ -58,7 +58,7 @@
/* structure for storing machine account password
(ie. when samba server is member of a domain */
struct machine_acct_pass {
- uint8 hash[16];
+ uint8_t hash[16];
time_t mod_time;
};
@@ -69,12 +69,12 @@ struct machine_acct_pass {
#define SECRETS_AFS_MAXKEYS 8
struct afs_key {
- uint32 kvno;
+ uint32_t kvno;
char key[8];
};
struct afs_keyfile {
- uint32 nkeys;
+ uint32_t nkeys;
struct afs_key entry[SECRETS_AFS_MAXKEYS];
};
@@ -100,10 +100,10 @@ bool secrets_fetch_domain_guid(const char *domain, struct
GUID *guid);
void *secrets_get_trust_account_lock(TALLOC_CTX *mem_ctx, const char *domain);
enum netr_SchannelType get_default_sec_channel(void);
bool secrets_fetch_trust_account_password_legacy(const char *domain,
- uint8 ret_pwd[16],
+ uint8_t ret_pwd[16],
time_t *pass_last_set_time,
enum netr_SchannelType
*channel);
-bool secrets_fetch_trust_account_password(const char *domain, uint8
ret_pwd[16],
+bool secrets_fetch_trust_account_password(const char *domain, uint8_t
ret_pwd[16],
time_t *pass_last_set_time,
enum netr_SchannelType *channel);
bool secrets_fetch_trusted_domain_password(const char *domain, char** pwd,
diff --git a/source3/passdb/machine_account_secrets.c
b/source3/passdb/machine_account_secrets.c
index 463de71..30f5f82 100644
--- a/source3/passdb/machine_account_secrets.c
+++ b/source3/passdb/machine_account_secrets.c
@@ -313,7 +313,7 @@ enum netr_SchannelType get_default_sec_channel(void)
************************************************************************/
bool secrets_fetch_trust_account_password_legacy(const char *domain,
- uint8 ret_pwd[16],
+ uint8_t ret_pwd[16],
time_t *pass_last_set_time,
enum netr_SchannelType
*channel)
{
@@ -351,7 +351,7 @@ bool secrets_fetch_trust_account_password_legacy(const char
*domain,
the above secrets_lock_trust_account_password().
************************************************************************/
-bool secrets_fetch_trust_account_password(const char *domain, uint8
ret_pwd[16],
+bool secrets_fetch_trust_account_password(const char *domain, uint8_t
ret_pwd[16],
time_t *pass_last_set_time,
enum netr_SchannelType *channel)
{
@@ -442,8 +442,8 @@ bool secrets_store_machine_password(const char *pass, const
char *domain,
enum netr_SchannelType sec_channel)
{
bool ret;
- uint32 last_change_time;
- uint32 sec_channel_type;
+ uint32_t last_change_time;
+ uint32_t sec_channel_type;
if (!secrets_store_prev_machine_password(domain)) {
return false;
@@ -487,7 +487,7 @@ char *secrets_fetch_machine_password(const char *domain,
if (pass_last_set_time) {
size_t size;
- uint32 *last_set_time;
+ uint32_t *last_set_time;
last_set_time = (unsigned int
*)secrets_fetch(machine_last_change_time_keystr(domain), &size);
if (last_set_time) {
*pass_last_set_time = IVAL(last_set_time,0);
@@ -499,7 +499,7 @@ char *secrets_fetch_machine_password(const char *domain,
if (channel) {
size_t size;
- uint32 *channel_type;
+ uint32_t *channel_type;
channel_type = (unsigned int
*)secrets_fetch(machine_sec_channel_type_keystr(domain), &size);
if (channel_type) {
*channel = IVAL(channel_type,0);
diff --git a/source4/param/secrets.h b/source4/param/secrets.h
index 6576929..1e7849f 100644
--- a/source4/param/secrets.h
+++ b/source4/param/secrets.h
@@ -17,8 +17,8 @@
* this program; if not, see <http://www.gnu.org/licenses/>.
*/
-#ifndef _SECRETS_H
-#define _SECRETS_H
+#ifndef _SOURCE4_PARAM_SECRETS_H
+#define _SOURCE4_PARAM_SECRETS_H
#define SECRETS_PRIMARY_DOMAIN_DN "cn=Primary Domains"
#define SECRETS_PRINCIPALS_DN "cn=Principals"
@@ -54,4 +54,4 @@ struct dom_sid *secrets_get_domain_sid(TALLOC_CTX *mem_ctx,
char *keytab_name_from_msg(TALLOC_CTX *mem_ctx, struct ldb_context *ldb,
struct ldb_message *msg);
-#endif /* _SECRETS_H */
+#endif /* _SOURCE4_PARAM_SECRETS_H */
--
Samba Shared Repository
