Author: mimir Date: 2007-08-29 19:55:13 +0000 (Wed, 29 Aug 2007) New Revision: 24789
WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=24789 Log: Add implementation of machine-authenticated connection to netlogon pipe used when connecting to win2k and newer domain controllers. The server may be configured to deny anonymous netlogon connections which would stop domain join verification step. Still, winnt domains require such smb sessions not to be authenticated using machine credentials. Creds employed in smb session cannot have a username in upn form, so provide the separate function to use machine account. rafal Modified: branches/SAMBA_3_2/source/utils/net.c branches/SAMBA_3_2/source/utils/net_ads.c branches/SAMBA_3_2/source/utils/net_rpc_join.c Changeset: Modified: branches/SAMBA_3_2/source/utils/net.c =================================================================== --- branches/SAMBA_3_2/source/utils/net.c 2007-08-29 19:03:20 UTC (rev 24788) +++ branches/SAMBA_3_2/source/utils/net.c 2007-08-29 19:55:13 UTC (rev 24789) @@ -341,10 +341,10 @@ } /**************************************************************************** - Use the local machine's password for this session. + Use the local machine account (upn) and password for this session. ****************************************************************************/ -int net_use_machine_password(void) +int net_use_upn_machine_account(void) { char *user_name = NULL; @@ -353,7 +353,6 @@ exit(1); } - user_name = NULL; opt_password = secrets_fetch_machine_password(opt_target_workgroup, NULL, NULL); if (asprintf(&user_name, "[EMAIL PROTECTED]", global_myname(), lp_realm()) == -1) { return -1; @@ -362,6 +361,27 @@ return 0; } +/**************************************************************************** + Use the machine account name and password for this session. +****************************************************************************/ + +int net_use_machine_account(void) +{ + char *user_name = NULL; + + if (!secrets_init()) { + d_fprintf(stderr, "ERROR: Unable to open secrets database\n"); + exit(1); + } + + opt_password = secrets_fetch_machine_password(opt_target_workgroup, NULL, NULL); + if (asprintf(&user_name, "%s$", global_myname()) == -1) { + return -1; + } + opt_user_name = user_name; + return 0; +} + BOOL net_find_server(const char *domain, unsigned flags, struct in_addr *server_ip, char **server_name) { const char *d = domain ? domain : opt_target_workgroup; @@ -1044,7 +1064,7 @@ /* it is very useful to be able to make ads queries as the machine account for testing purposes and for domain leave */ - net_use_machine_password(); + net_use_upn_machine_account(); } if (!opt_password) { Modified: branches/SAMBA_3_2/source/utils/net_ads.c =================================================================== --- branches/SAMBA_3_2/source/utils/net_ads.c 2007-08-29 19:03:20 UTC (rev 24788) +++ branches/SAMBA_3_2/source/utils/net_ads.c 2007-08-29 19:55:13 UTC (rev 24789) @@ -882,7 +882,7 @@ return NT_STATUS_ACCESS_DENIED; } - net_use_machine_password(); + net_use_upn_machine_account(); status = ads_startup(True, &ads); if (!ADS_ERR_OK(status)) { @@ -2187,7 +2187,7 @@ return -1; } - net_use_machine_password(); + net_use_upn_machine_account(); use_in_memory_ccache(); Modified: branches/SAMBA_3_2/source/utils/net_rpc_join.c =================================================================== --- branches/SAMBA_3_2/source/utils/net_rpc_join.c 2007-08-29 19:03:20 UTC (rev 24788) +++ branches/SAMBA_3_2/source/utils/net_rpc_join.c 2007-08-29 19:55:13 UTC (rev 24789) @@ -42,14 +42,29 @@ **/ int net_rpc_join_ok(const char *domain, const char *server, struct in_addr *ip ) { + enum security_types sec; + unsigned int conn_flags = NET_FLAGS_PDC; uint32 neg_flags = NETLOGON_NEG_AUTH2_FLAGS|NETLOGON_NEG_SCHANNEL; struct cli_state *cli = NULL; struct rpc_pipe_client *pipe_hnd = NULL; struct rpc_pipe_client *netlogon_pipe = NULL; NTSTATUS ntret = NT_STATUS_UNSUCCESSFUL; + sec = (enum security_types)lp_security(); + + if (sec == SEC_ADS) { + /* Connect to IPC$ using machine account's credentials. We don't use anonymous + connection here, as it may be denied by server's local policy. */ + net_use_machine_account(); + + } else { + /* some servers (e.g. WinNT) don't accept machine-authenticated + smb connections */ + conn_flags |= NET_FLAGS_ANONYMOUS; + } + /* Connect to remote machine */ - if (!(cli = net_make_ipc_connection_ex(domain, server, ip, (NET_FLAGS_ANONYMOUS|NET_FLAGS_PDC)))) { + if (!(cli = net_make_ipc_connection_ex(domain, server, ip, conn_flags))) { return -1; }