credentials: Allow the secret.tdb handle to be passed in to cli_credentials_set_machine_account()

This adds a new wrapper, cli_credentials_set_machine_account_db_ctx()

Andrew Bartlett

Change-Id: Ia2cceefede4ba9cf7f8de41986daf9372c19d997
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

2 files changed, 64 insertions, 13 deletions

diff --git a/auth/credentials/credentials.h b/auth/credentials/credentials.h
index fdd35bbd425..2da47d2cac3 100644
--- a/auth/credentials/credentials.h
+++ b/auth/credentials/credentials.h
@@ -36,6 +36,7 @@ struct ccache_container;
 struct gssapi_creds_container;
 struct smb_krb5_context;
 struct keytab_container;
+struct db_context;
 
 /* In order of priority */
 enum credentials_obtained { 
@@ -161,6 +162,21 @@ NTSTATUS cli_credentials_set_stored_principal(struct cli_credentials *cred,
 					      const char *serviceprincipal);
 NTSTATUS cli_credentials_set_machine_account(struct cli_credentials *cred,
 					     struct loadparm_context *lp_ctx);
+/**
+ * Fill in credentials for the machine trust account, from the
+ * secrets.ldb or passed in handle to secrets.tdb (perhaps in CTDB).
+ *
+ * This version is used in parts of the code that can link in the
+ * CTDB dbwrap backend, by passing down the already open handle.
+ *
+ * @param cred Credentials structure to fill in
+ * @param db_ctx dbwrap context for secrets.tdb
+ * @retval NTSTATUS error detailing any failure
+ */
+NTSTATUS cli_credentials_set_machine_account_db_ctx(struct cli_credentials *cred,
+						    struct loadparm_context *lp_ctx,
+						    struct db_context *db_ctx);
+
 bool cli_credentials_authentication_requested(struct cli_credentials *cred);
 void cli_credentials_guess(struct cli_credentials *cred,
 			   struct loadparm_context *lp_ctx);
diff --git a/auth/credentials/credentials_secrets.c b/auth/credentials/credentials_secrets.c
index 8607973d71d..13717b165e6 100644
--- a/auth/credentials/credentials_secrets.c
+++ b/auth/credentials/credentials_secrets.c
@@ -231,6 +231,43 @@ _PUBLIC_ NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred,
 _PUBLIC_ NTSTATUS cli_credentials_set_machine_account(struct cli_credentials *cred,
 						      struct loadparm_context *lp_ctx)
 {
+	struct db_context *db_ctx;
+	char *secrets_tdb_path;
+
+	secrets_tdb_path = lpcfg_private_db_path(cred, lp_ctx, "secrets");
+	if (secrets_tdb_path == NULL) {
+		return NT_STATUS_NO_MEMORY;
+	}
+
+	db_ctx = dbwrap_local_open(cred, lp_ctx, secrets_tdb_path, 0,
+				   TDB_DEFAULT, O_RDWR, 0600,
+				   DBWRAP_LOCK_ORDER_1,
+				   DBWRAP_FLAG_NONE);
+	TALLOC_FREE(secrets_tdb_path);
+
+	/*
+	 * We do not check for errors here, we might not have a
+	 * secrets.tdb at all, and so we just need to check the
+	 * secrets.ldb
+	 */
+	return cli_credentials_set_machine_account_db_ctx(cred, lp_ctx, db_ctx);
+}
+
+/**
+ * Fill in credentials for the machine trust account, from the
+ * secrets.ldb or passed in handle to secrets.tdb (perhaps in CTDB).
+ *
+ * This version is used in parts of the code that can link in the
+ * CTDB dbwrap backend, by passing down the already open handle.
+ *
+ * @param cred Credentials structure to fill in
+ * @param db_ctx dbwrap context for secrets.tdb
+ * @retval NTSTATUS error detailing any failure
+ */
+_PUBLIC_ NTSTATUS cli_credentials_set_machine_account_db_ctx(struct cli_credentials *cred,
+							     struct loadparm_context *lp_ctx,
+							     struct db_context *db_ctx)
+{
 	NTSTATUS status;
 	char *filter;
 	char *error_string;
@@ -242,22 +279,11 @@ _PUBLIC_ NTSTATUS cli_credentials_set_machine_account(struct cli_credentials *cr
 	uint32_t secrets_tdb_secure_channel_type = SEC_CHAN_NULL;
 	char *keystr;
 	char *keystr_upper = NULL;
-	char *secrets_tdb;
-	struct db_context *db_ctx;
 	TALLOC_CTX *tmp_ctx = talloc_named(cred, 0, "cli_credentials_set_secrets from ldb");
 	if (!tmp_ctx) {
 		return NT_STATUS_NO_MEMORY;
 	}
-	secrets_tdb = lpcfg_private_db_path(cred, lp_ctx, "secrets");
-	if (!secrets_tdb) {
-		TALLOC_FREE(tmp_ctx);
-		return NT_STATUS_NO_MEMORY;
-	}
-		
-	db_ctx = dbwrap_local_open(cred, lp_ctx, secrets_tdb, 0,
-				   TDB_DEFAULT, O_RDWR, 0600,
-				   DBWRAP_LOCK_ORDER_1,
-				   DBWRAP_FLAG_NONE);
+
 	/* Bleh, nasty recursion issues: We are setting a machine
 	 * account here, so we don't want the 'pending' flag around
 	 * any more */
@@ -346,10 +372,19 @@ _PUBLIC_ NTSTATUS cli_credentials_set_machine_account(struct cli_credentials *cr
 						  domain, error_string,
 						  dbwrap_name(db_ctx));
 		} else {
+			char *secrets_tdb_path;
+
+			secrets_tdb_path = lpcfg_private_db_path(tmp_ctx,
+								 lp_ctx,
+								 "secrets");
+			if (secrets_tdb_path == NULL) {
+				return NT_STATUS_NO_MEMORY;
+			}
+
 			error_string = talloc_asprintf(cred,
 						       "Failed to fetch machine account password from "
 						       "secrets.ldb: %s and failed to open %s",
-						       error_string, secrets_tdb);
+						       error_string, secrets_tdb_path);
 		}
 		DEBUG(1, ("Could not find machine account in secrets database: %s: %s\n", 
 			  error_string, nt_errstr(status)));