diff options
author | Andrew Bartlett <abartlet@samba.org> | 2014-10-03 06:32:39 +1300 |
---|---|---|
committer | Andrew Bartlett <abartlet@samba.org> | 2014-10-17 12:57:07 +0200 |
commit | 35b8ed7710f60abcc70e0b070afc16bf3faef263 (patch) | |
tree | 64eb36cf0bddf0ad247a0a52d8d94e0a43087abe /auth | |
parent | 89daf5dc534ab03724a2622d3b6b4d6783756bae (diff) | |
download | samba-35b8ed7710f60abcc70e0b070afc16bf3faef263.tar.gz |
credentials: Allow the secret.tdb handle to be passed in to cli_credentials_set_machine_account()
This adds a new wrapper, cli_credentials_set_machine_account_db_ctx()
Andrew Bartlett
Change-Id: Ia2cceefede4ba9cf7f8de41986daf9372c19d997
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Diffstat (limited to 'auth')
-rw-r--r-- | auth/credentials/credentials.h | 16 | ||||
-rw-r--r-- | auth/credentials/credentials_secrets.c | 61 |
2 files changed, 64 insertions, 13 deletions
diff --git a/auth/credentials/credentials.h b/auth/credentials/credentials.h index fdd35bbd425..2da47d2cac3 100644 --- a/auth/credentials/credentials.h +++ b/auth/credentials/credentials.h @@ -36,6 +36,7 @@ struct ccache_container; struct gssapi_creds_container; struct smb_krb5_context; struct keytab_container; +struct db_context; /* In order of priority */ enum credentials_obtained { @@ -161,6 +162,21 @@ NTSTATUS cli_credentials_set_stored_principal(struct cli_credentials *cred, const char *serviceprincipal); NTSTATUS cli_credentials_set_machine_account(struct cli_credentials *cred, struct loadparm_context *lp_ctx); +/** + * Fill in credentials for the machine trust account, from the + * secrets.ldb or passed in handle to secrets.tdb (perhaps in CTDB). + * + * This version is used in parts of the code that can link in the + * CTDB dbwrap backend, by passing down the already open handle. + * + * @param cred Credentials structure to fill in + * @param db_ctx dbwrap context for secrets.tdb + * @retval NTSTATUS error detailing any failure + */ +NTSTATUS cli_credentials_set_machine_account_db_ctx(struct cli_credentials *cred, + struct loadparm_context *lp_ctx, + struct db_context *db_ctx); + bool cli_credentials_authentication_requested(struct cli_credentials *cred); void cli_credentials_guess(struct cli_credentials *cred, struct loadparm_context *lp_ctx); diff --git a/auth/credentials/credentials_secrets.c b/auth/credentials/credentials_secrets.c index 8607973d71d..13717b165e6 100644 --- a/auth/credentials/credentials_secrets.c +++ b/auth/credentials/credentials_secrets.c @@ -231,6 +231,43 @@ _PUBLIC_ NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred, _PUBLIC_ NTSTATUS cli_credentials_set_machine_account(struct cli_credentials *cred, struct loadparm_context *lp_ctx) { + struct db_context *db_ctx; + char *secrets_tdb_path; + + secrets_tdb_path = lpcfg_private_db_path(cred, lp_ctx, "secrets"); + if (secrets_tdb_path == NULL) { + return NT_STATUS_NO_MEMORY; + } + + db_ctx = dbwrap_local_open(cred, lp_ctx, secrets_tdb_path, 0, + TDB_DEFAULT, O_RDWR, 0600, + DBWRAP_LOCK_ORDER_1, + DBWRAP_FLAG_NONE); + TALLOC_FREE(secrets_tdb_path); + + /* + * We do not check for errors here, we might not have a + * secrets.tdb at all, and so we just need to check the + * secrets.ldb + */ + return cli_credentials_set_machine_account_db_ctx(cred, lp_ctx, db_ctx); +} + +/** + * Fill in credentials for the machine trust account, from the + * secrets.ldb or passed in handle to secrets.tdb (perhaps in CTDB). + * + * This version is used in parts of the code that can link in the + * CTDB dbwrap backend, by passing down the already open handle. + * + * @param cred Credentials structure to fill in + * @param db_ctx dbwrap context for secrets.tdb + * @retval NTSTATUS error detailing any failure + */ +_PUBLIC_ NTSTATUS cli_credentials_set_machine_account_db_ctx(struct cli_credentials *cred, + struct loadparm_context *lp_ctx, + struct db_context *db_ctx) +{ NTSTATUS status; char *filter; char *error_string; @@ -242,22 +279,11 @@ _PUBLIC_ NTSTATUS cli_credentials_set_machine_account(struct cli_credentials *cr uint32_t secrets_tdb_secure_channel_type = SEC_CHAN_NULL; char *keystr; char *keystr_upper = NULL; - char *secrets_tdb; - struct db_context *db_ctx; TALLOC_CTX *tmp_ctx = talloc_named(cred, 0, "cli_credentials_set_secrets from ldb"); if (!tmp_ctx) { return NT_STATUS_NO_MEMORY; } - secrets_tdb = lpcfg_private_db_path(cred, lp_ctx, "secrets"); - if (!secrets_tdb) { - TALLOC_FREE(tmp_ctx); - return NT_STATUS_NO_MEMORY; - } - - db_ctx = dbwrap_local_open(cred, lp_ctx, secrets_tdb, 0, - TDB_DEFAULT, O_RDWR, 0600, - DBWRAP_LOCK_ORDER_1, - DBWRAP_FLAG_NONE); + /* Bleh, nasty recursion issues: We are setting a machine * account here, so we don't want the 'pending' flag around * any more */ @@ -346,10 +372,19 @@ _PUBLIC_ NTSTATUS cli_credentials_set_machine_account(struct cli_credentials *cr domain, error_string, dbwrap_name(db_ctx)); } else { + char *secrets_tdb_path; + + secrets_tdb_path = lpcfg_private_db_path(tmp_ctx, + lp_ctx, + "secrets"); + if (secrets_tdb_path == NULL) { + return NT_STATUS_NO_MEMORY; + } + error_string = talloc_asprintf(cred, "Failed to fetch machine account password from " "secrets.ldb: %s and failed to open %s", - error_string, secrets_tdb); + error_string, secrets_tdb_path); } DEBUG(1, ("Could not find machine account in secrets database: %s: %s\n", error_string, nt_errstr(status))); |