The branch, master has been updated via dff29e4 auth/credentials: Look in the secrets.tdb for the machine account via 6d24c89 s4-param: Use a unique header name via 4b61c48 s3-secrets: Use C99 types from 726ecf6 Fix bug #9016 - Connection to outbound trusted domain goes offline.
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit dff29e4aee5f6adda32e5a0905d3c46e810feb27 Author: Andrew Bartlett <abart...@samba.org> Date: Sat Jul 14 22:23:41 2012 +1000 auth/credentials: Look in the secrets.tdb for the machine account This is for use with the -P/--machine-pass option. Andrew Bartlett Autobuild-User(master): Andrew Bartlett <abart...@samba.org> Autobuild-Date(master): Sun Jul 15 05:41:28 CEST 2012 on sn-devel-104 commit 6d24c899db76161a6f8d092b6fae054c6e663432 Author: Andrew Bartlett <abart...@samba.org> Date: Sat Jul 14 22:22:37 2012 +1000 s4-param: Use a unique header name commit 4b61c4891a309172057caf058c39931fe752bd65 Author: Andrew Bartlett <abart...@samba.org> Date: Sat Jul 14 22:18:29 2012 +1000 s3-secrets: Use C99 types ----------------------------------------------------------------------- Summary of changes: auth/credentials/credentials_secrets.c | 51 ++++++++++++++++++++++++++++- auth/credentials/wscript_build | 2 +- source3/include/secrets.h | 10 +++--- source3/passdb/machine_account_secrets.c | 12 +++--- source4/param/secrets.h | 6 ++-- 5 files changed, 64 insertions(+), 17 deletions(-) Changeset truncated at 500 lines: diff --git a/auth/credentials/credentials_secrets.c b/auth/credentials/credentials_secrets.c index bc08d9d..8206173 100644 --- a/auth/credentials/credentials_secrets.c +++ b/auth/credentials/credentials_secrets.c @@ -34,6 +34,11 @@ #include "param/param.h" #include "lib/events/events.h" #include "dsdb/samdb/samdb.h" +#include "source3/include/secrets.h" +#include "dbwrap/dbwrap.h" +#include "dbwrap/dbwrap_open.h" +#include "lib/util/util_tdb.h" + /** * Fill in credentials for the machine trust account, from the secrets database. @@ -197,17 +202,59 @@ _PUBLIC_ NTSTATUS cli_credentials_set_machine_account(struct cli_credentials *cr NTSTATUS status; char *filter; char *error_string; + const char *domain; /* Bleh, nasty recursion issues: We are setting a machine * account here, so we don't want the 'pending' flag around * any more */ cred->machine_account_pending = false; + + /* We have to do this, as the fallback in + * cli_credentials_set_secrets is to run as anonymous, so the domain is wiped */ + domain = cli_credentials_get_domain(cred); filter = talloc_asprintf(cred, SECRETS_PRIMARY_DOMAIN_FILTER, - cli_credentials_get_domain(cred)); + domain); status = cli_credentials_set_secrets(cred, lp_ctx, NULL, SECRETS_PRIMARY_DOMAIN_DN, filter, &error_string); + if (NT_STATUS_EQUAL(NT_STATUS_CANT_ACCESS_DOMAIN_INFO, status) + || NT_STATUS_EQUAL(NT_STATUS_NOT_FOUND, status)) { + TDB_DATA dbuf; + char *secrets_tdb = lpcfg_private_path(cred, lp_ctx, "secrets.tdb"); + struct db_context *db_ctx = dbwrap_local_open(cred, lp_ctx, secrets_tdb, 0, + TDB_DEFAULT, O_RDWR, 0600, + DBWRAP_LOCK_ORDER_1); + if (db_ctx) { + char *keystr; + char *keystr_upper; + keystr = talloc_asprintf(cred, "%s/%s", + SECRETS_MACHINE_PASSWORD, + domain); + keystr_upper = strupper_talloc(cred, keystr); + TALLOC_FREE(keystr); + status = dbwrap_fetch(db_ctx, cred, string_tdb_data(keystr_upper), + &dbuf); + + if (NT_STATUS_IS_OK(status)) { + char *machine_account = talloc_asprintf(cred, "%s$", lpcfg_netbios_name(lp_ctx)); + cli_credentials_set_password(cred, (const char *)dbuf.dptr, CRED_SPECIFIED); + cli_credentials_set_domain(cred, domain, CRED_SPECIFIED); + cli_credentials_set_username(cred, machine_account, CRED_SPECIFIED); + TALLOC_FREE(machine_account); + TALLOC_FREE(dbuf.dptr); + } else { + error_string = talloc_asprintf(cred, + "Failed to fetch machine account password from " + "secrets.ldb: %s and failed to fetch %s from %s", + error_string, keystr_upper, secrets_tdb); + } + TALLOC_FREE(keystr_upper); + TALLOC_FREE(secrets_tdb); + } + } + if (!NT_STATUS_IS_OK(status)) { - DEBUG(1, ("Could not find machine account in secrets database: %s: %s\n", nt_errstr(status), error_string)); + DEBUG(1, ("Could not find machine account in secrets database: %s: %s\n", + error_string, nt_errstr(status))); talloc_free(error_string); } return status; diff --git a/auth/credentials/wscript_build b/auth/credentials/wscript_build index a7936e9..0b2aec2 100755 --- a/auth/credentials/wscript_build +++ b/auth/credentials/wscript_build @@ -17,7 +17,7 @@ bld.SAMBA_SUBSYSTEM('CREDENTIALS_KRB5', bld.SAMBA_SUBSYSTEM('CREDENTIALS_SECRETS', source='credentials_secrets.c', - deps='CREDENTIALS_KRB5 CREDENTIALS_NTLM ldb SECRETS samdb-common', + deps='CREDENTIALS_KRB5 CREDENTIALS_NTLM ldb SECRETS samdb-common dbwrap', ) bld.SAMBA_SUBSYSTEM('CREDENTIALS_NTLM', diff --git a/source3/include/secrets.h b/source3/include/secrets.h index 5b778d1..fa215ff 100644 --- a/source3/include/secrets.h +++ b/source3/include/secrets.h @@ -58,7 +58,7 @@ /* structure for storing machine account password (ie. when samba server is member of a domain */ struct machine_acct_pass { - uint8 hash[16]; + uint8_t hash[16]; time_t mod_time; }; @@ -69,12 +69,12 @@ struct machine_acct_pass { #define SECRETS_AFS_MAXKEYS 8 struct afs_key { - uint32 kvno; + uint32_t kvno; char key[8]; }; struct afs_keyfile { - uint32 nkeys; + uint32_t nkeys; struct afs_key entry[SECRETS_AFS_MAXKEYS]; }; @@ -100,10 +100,10 @@ bool secrets_fetch_domain_guid(const char *domain, struct GUID *guid); void *secrets_get_trust_account_lock(TALLOC_CTX *mem_ctx, const char *domain); enum netr_SchannelType get_default_sec_channel(void); bool secrets_fetch_trust_account_password_legacy(const char *domain, - uint8 ret_pwd[16], + uint8_t ret_pwd[16], time_t *pass_last_set_time, enum netr_SchannelType *channel); -bool secrets_fetch_trust_account_password(const char *domain, uint8 ret_pwd[16], +bool secrets_fetch_trust_account_password(const char *domain, uint8_t ret_pwd[16], time_t *pass_last_set_time, enum netr_SchannelType *channel); bool secrets_fetch_trusted_domain_password(const char *domain, char** pwd, diff --git a/source3/passdb/machine_account_secrets.c b/source3/passdb/machine_account_secrets.c index 463de71..30f5f82 100644 --- a/source3/passdb/machine_account_secrets.c +++ b/source3/passdb/machine_account_secrets.c @@ -313,7 +313,7 @@ enum netr_SchannelType get_default_sec_channel(void) ************************************************************************/ bool secrets_fetch_trust_account_password_legacy(const char *domain, - uint8 ret_pwd[16], + uint8_t ret_pwd[16], time_t *pass_last_set_time, enum netr_SchannelType *channel) { @@ -351,7 +351,7 @@ bool secrets_fetch_trust_account_password_legacy(const char *domain, the above secrets_lock_trust_account_password(). ************************************************************************/ -bool secrets_fetch_trust_account_password(const char *domain, uint8 ret_pwd[16], +bool secrets_fetch_trust_account_password(const char *domain, uint8_t ret_pwd[16], time_t *pass_last_set_time, enum netr_SchannelType *channel) { @@ -442,8 +442,8 @@ bool secrets_store_machine_password(const char *pass, const char *domain, enum netr_SchannelType sec_channel) { bool ret; - uint32 last_change_time; - uint32 sec_channel_type; + uint32_t last_change_time; + uint32_t sec_channel_type; if (!secrets_store_prev_machine_password(domain)) { return false; @@ -487,7 +487,7 @@ char *secrets_fetch_machine_password(const char *domain, if (pass_last_set_time) { size_t size; - uint32 *last_set_time; + uint32_t *last_set_time; last_set_time = (unsigned int *)secrets_fetch(machine_last_change_time_keystr(domain), &size); if (last_set_time) { *pass_last_set_time = IVAL(last_set_time,0); @@ -499,7 +499,7 @@ char *secrets_fetch_machine_password(const char *domain, if (channel) { size_t size; - uint32 *channel_type; + uint32_t *channel_type; channel_type = (unsigned int *)secrets_fetch(machine_sec_channel_type_keystr(domain), &size); if (channel_type) { *channel = IVAL(channel_type,0); diff --git a/source4/param/secrets.h b/source4/param/secrets.h index 6576929..1e7849f 100644 --- a/source4/param/secrets.h +++ b/source4/param/secrets.h @@ -17,8 +17,8 @@ * this program; if not, see <http://www.gnu.org/licenses/>. */ -#ifndef _SECRETS_H -#define _SECRETS_H +#ifndef _SOURCE4_PARAM_SECRETS_H +#define _SOURCE4_PARAM_SECRETS_H #define SECRETS_PRIMARY_DOMAIN_DN "cn=Primary Domains" #define SECRETS_PRINCIPALS_DN "cn=Principals" @@ -54,4 +54,4 @@ struct dom_sid *secrets_get_domain_sid(TALLOC_CTX *mem_ctx, char *keytab_name_from_msg(TALLOC_CTX *mem_ctx, struct ldb_context *ldb, struct ldb_message *msg); -#endif /* _SECRETS_H */ +#endif /* _SOURCE4_PARAM_SECRETS_H */ -- Samba Shared Repository