Author: mimir Date: 2007-08-29 20:53:09 +0000 (Wed, 29 Aug 2007) New Revision: 24792
WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=24792 Log: Merge from 3_2: Add machine-authenticated connections to netlogon pipe of win2k and newer (which may have anonymous connections restricted) and leave anonymous for winnt domain. rafal Modified: branches/SAMBA_3_2_0/source/utils/net.c branches/SAMBA_3_2_0/source/utils/net_ads.c branches/SAMBA_3_2_0/source/utils/net_rpc_join.c Changeset: Modified: branches/SAMBA_3_2_0/source/utils/net.c =================================================================== --- branches/SAMBA_3_2_0/source/utils/net.c 2007-08-29 20:49:09 UTC (rev 24791) +++ branches/SAMBA_3_2_0/source/utils/net.c 2007-08-29 20:53:09 UTC (rev 24792) @@ -341,10 +341,10 @@ } /**************************************************************************** - Use the local machine's password for this session. + Use the local machine account (upn) and password for this session. ****************************************************************************/ -int net_use_machine_password(void) +int net_use_upn_machine_account(void) { char *user_name = NULL; @@ -353,7 +353,6 @@ exit(1); } - user_name = NULL; opt_password = secrets_fetch_machine_password(opt_target_workgroup, NULL, NULL); if (asprintf(&user_name, "[EMAIL PROTECTED]", global_myname(), lp_realm()) == -1) { return -1; @@ -362,6 +361,27 @@ return 0; } +/**************************************************************************** + Use the machine account name and password for this session. +****************************************************************************/ + +int net_use_machine_account(void) +{ + char *user_name = NULL; + + if (!secrets_init()) { + d_fprintf(stderr, "ERROR: Unable to open secrets database\n"); + exit(1); + } + + opt_password = secrets_fetch_machine_password(opt_target_workgroup, NULL, NULL); + if (asprintf(&user_name, "%s$", global_myname()) == -1) { + return -1; + } + opt_user_name = user_name; + return 0; +} + BOOL net_find_server(const char *domain, unsigned flags, struct in_addr *server_ip, char **server_name) { const char *d = domain ? domain : opt_target_workgroup; @@ -1044,7 +1064,7 @@ /* it is very useful to be able to make ads queries as the machine account for testing purposes and for domain leave */ - net_use_machine_password(); + net_use_upn_machine_account(); } if (!opt_password) { Modified: branches/SAMBA_3_2_0/source/utils/net_ads.c =================================================================== --- branches/SAMBA_3_2_0/source/utils/net_ads.c 2007-08-29 20:49:09 UTC (rev 24791) +++ branches/SAMBA_3_2_0/source/utils/net_ads.c 2007-08-29 20:53:09 UTC (rev 24792) @@ -882,7 +882,7 @@ return NT_STATUS_ACCESS_DENIED; } - net_use_machine_password(); + net_use_upn_machine_account(); status = ads_startup(True, &ads); if (!ADS_ERR_OK(status)) { @@ -2187,7 +2187,7 @@ return -1; } - net_use_machine_password(); + net_use_upn_machine_account(); use_in_memory_ccache(); Modified: branches/SAMBA_3_2_0/source/utils/net_rpc_join.c =================================================================== --- branches/SAMBA_3_2_0/source/utils/net_rpc_join.c 2007-08-29 20:49:09 UTC (rev 24791) +++ branches/SAMBA_3_2_0/source/utils/net_rpc_join.c 2007-08-29 20:53:09 UTC (rev 24792) @@ -42,14 +42,29 @@ **/ int net_rpc_join_ok(const char *domain, const char *server, struct in_addr *ip ) { + enum security_types sec; + unsigned int conn_flags = NET_FLAGS_PDC; uint32 neg_flags = NETLOGON_NEG_AUTH2_FLAGS|NETLOGON_NEG_SCHANNEL; struct cli_state *cli = NULL; struct rpc_pipe_client *pipe_hnd = NULL; struct rpc_pipe_client *netlogon_pipe = NULL; NTSTATUS ntret = NT_STATUS_UNSUCCESSFUL; + sec = (enum security_types)lp_security(); + + if (sec == SEC_ADS) { + /* Connect to IPC$ using machine account's credentials. We don't use anonymous + connection here, as it may be denied by server's local policy. */ + net_use_machine_account(); + + } else { + /* some servers (e.g. WinNT) don't accept machine-authenticated + smb connections */ + conn_flags |= NET_FLAGS_ANONYMOUS; + } + /* Connect to remote machine */ - if (!(cli = net_make_ipc_connection_ex(domain, server, ip, (NET_FLAGS_ANONYMOUS|NET_FLAGS_PDC)))) { + if (!(cli = net_make_ipc_connection_ex(domain, server, ip, conn_flags))) { return -1; }