-/*
+/*
Unix SMB/CIFS implementation.
Password and authentication handling
Copyright (C) Jeremy Allison 1996-2001
#include "util_tdb.h"
#include "auth/credentials/credentials.h"
#include "lib/param/param.h"
+#include "lib/util/string_wrappers.h"
+#include "source3/lib/substitute.h"
#undef DBGC_CLASS
#define DBGC_CLASS DBGC_PASSDB
-/******************************************************************
- Get the default domain/netbios name to be used when
- testing authentication.
-
- LEGACY: this function provides the legacy domain mapping used with
- the lp_map_untrusted_to_domain() parameter
-******************************************************************/
-
-const char *my_sam_name(void)
-{
- /* Standalone servers can only use the local netbios name */
- if ( lp_server_role() == ROLE_STANDALONE )
- return lp_netbios_name();
-
- /* Default to the DOMAIN name when not specified */
- return lp_workgroup();
-}
-
/**********************************************************************
***********************************************************************/
-static int samu_destroy(struct samu *user)
+static int samu_destroy(struct samu *user)
{
data_blob_clear_free( &user->lm_pw );
data_blob_clear_free( &user->nt_pw );
if ( user->plaintext_pw )
- memset( user->plaintext_pw, 0x0, strlen(user->plaintext_pw) );
+ BURN_STR(user->plaintext_pw);
return 0;
}
user->logon_count = 0;
user->unknown_6 = 0x000004ec; /* don't know */
- /* Some parts of samba strlen their pdb_get...() returns,
+ /* Some parts of samba strlen their pdb_get...() returns,
so this keeps the interface unchanged for now. */
user->username = "";
}
/*********************************************************************
- Initialize a struct samu from a struct passwd including the user
+ Initialize a struct samu from a struct passwd including the user
and group SIDs. The *user structure is filled out with the Unix
attributes and a user SID.
*********************************************************************/
const char *domain = lp_netbios_name();
char *fullname;
uint32_t urid;
+ bool ok;
if ( !pwd ) {
return NT_STATUS_NO_SUCH_USER;
/* Basic properties based upon the Unix account information */
- pdb_set_username(user, pwd->pw_name, PDB_SET);
+ ok = pdb_set_username(user, pwd->pw_name, PDB_SET);
+ if (!ok) {
+ return NT_STATUS_NO_MEMORY;
+ }
fullname = NULL;
fullname = talloc_strndup(
talloc_tos(), pwd->pw_gecos,
strchr(pwd->pw_gecos, ',') - pwd->pw_gecos);
+ if (fullname == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
}
if (fullname != NULL) {
- pdb_set_fullname(user, fullname, PDB_SET);
+ ok = pdb_set_fullname(user, fullname, PDB_SET);
} else {
- pdb_set_fullname(user, pwd->pw_gecos, PDB_SET);
+ ok = pdb_set_fullname(user, pwd->pw_gecos, PDB_SET);
}
TALLOC_FREE(fullname);
- pdb_set_domain (user, get_global_sam_name(), PDB_DEFAULT);
+ if (!ok) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ ok = pdb_set_domain(user, get_global_sam_name(), PDB_DEFAULT);
+ if (!ok) {
+ return NT_STATUS_NO_MEMORY;
+ }
#if 0
- /* This can lead to a primary group of S-1-22-2-XX which
- will be rejected by other parts of the Samba code.
- Rely on pdb_get_group_sid() to "Do The Right Thing" (TM)
+ /* This can lead to a primary group of S-1-22-2-XX which
+ will be rejected by other parts of the Samba code.
+ Rely on pdb_get_group_sid() to "Do The Right Thing" (TM)
--jerry */
gid_to_sid(&group_sid, pwd->pw_gid);
/* save the password structure for later use */
user->unix_pw = tcopy_passwd( user, pwd );
+ if (user->unix_pw == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
/* Special case for the guest account which must have a RID of 501 */
/* workstation */
if (!pdb_set_acct_ctrl(user, ACB_WSTRUST, PDB_DEFAULT)) {
- DEBUG(1, ("Failed to set 'workstation account' flags for user %s.\n",
+ DEBUG(1, ("Failed to set 'workstation account' flags for user %s.\n",
pwd->pw_name));
return NT_STATUS_INVALID_COMPUTER_NAME;
- }
- }
+ }
+ }
else {
/* user */
if (!pdb_set_acct_ctrl(user, ACB_NORMAL, PDB_DEFAULT)) {
- DEBUG(1, ("Failed to set 'normal account' flags for user %s.\n",
+ DEBUG(1, ("Failed to set 'normal account' flags for user %s.\n",
pwd->pw_name));
return NT_STATUS_INVALID_ACCOUNT_NAME;
}
/* set some basic attributes */
- pdb_set_profile_path(user, talloc_sub_specified(user,
- lp_logon_path(), pwd->pw_name, NULL, domain, pwd->pw_uid, pwd->pw_gid),
- PDB_DEFAULT);
- pdb_set_homedir(user, talloc_sub_specified(user,
- lp_logon_home(), pwd->pw_name, NULL, domain, pwd->pw_uid, pwd->pw_gid),
+ ok = pdb_set_profile_path(
+ user,
+ talloc_sub_specified(
+ user,
+ lp_logon_path(),
+ pwd->pw_name,
+ NULL,
+ domain,
+ pwd->pw_uid,
+ pwd->pw_gid),
+ PDB_DEFAULT);
+ ok &= pdb_set_homedir(
+ user,
+ talloc_sub_specified(
+ user,
+ lp_logon_home(),
+ pwd->pw_name,
+ NULL,
+ domain,
+ pwd->pw_uid,
+ pwd->pw_gid),
PDB_DEFAULT);
- pdb_set_dir_drive(user, talloc_sub_specified(user,
- lp_logon_drive(), pwd->pw_name, NULL, domain, pwd->pw_uid, pwd->pw_gid),
+ ok &= pdb_set_dir_drive(
+ user,
+ talloc_sub_specified(
+ user,
+ lp_logon_drive(),
+ pwd->pw_name,
+ NULL,
+ domain,
+ pwd->pw_uid,
+ pwd->pw_gid),
PDB_DEFAULT);
- pdb_set_logon_script(user, talloc_sub_specified(user,
- lp_logon_script(), pwd->pw_name, NULL, domain, pwd->pw_uid, pwd->pw_gid),
+ ok &= pdb_set_logon_script(
+ user,
+ talloc_sub_specified(
+ user,
+ lp_logon_script(),
+ pwd->pw_name,
+ NULL,
+ domain,
+ pwd->pw_uid,
+ pwd->pw_gid),
PDB_DEFAULT);
+ if (!ok) {
+ return NT_STATUS_NO_MEMORY;
+ }
}
- /* Now deal with the user SID. If we have a backend that can generate
- RIDs, then do so. But sometimes the caller just wanted a structure
- initialized and will fill in these fields later (such as from a
+ /* Now deal with the user SID. If we have a backend that can generate
+ RIDs, then do so. But sometimes the caller just wanted a structure
+ initialized and will fill in these fields later (such as from a
netr_SamInfo3 structure) */
if ( create && (methods->capabilities(methods) & PDB_CAP_STORE_RIDS)) {
if (acct_ctrl & ACB_PWNOTREQ ) acct_str[i++] = 'N';
if (acct_ctrl & ACB_DISABLED ) acct_str[i++] = 'D';
if (acct_ctrl & ACB_HOMDIRREQ) acct_str[i++] = 'H';
- if (acct_ctrl & ACB_TEMPDUP ) acct_str[i++] = 'T';
+ if (acct_ctrl & ACB_TEMPDUP ) acct_str[i++] = 'T';
if (acct_ctrl & ACB_NORMAL ) acct_str[i++] = 'U';
if (acct_ctrl & ACB_MNS ) acct_str[i++] = 'M';
if (acct_ctrl & ACB_WSTRUST ) acct_str[i++] = 'W';
result = talloc_strdup(talloc_tos(), acct_str);
SMB_ASSERT(result != NULL);
return result;
-}
+}
/**********************************************************
Decode the account control bits from a string.
case 'N': { acct_ctrl |= ACB_PWNOTREQ ; break; /* 'N'o password. */ }
case 'D': { acct_ctrl |= ACB_DISABLED ; break; /* 'D'isabled. */ }
case 'H': { acct_ctrl |= ACB_HOMDIRREQ; break; /* 'H'omedir required. */ }
- case 'T': { acct_ctrl |= ACB_TEMPDUP ; break; /* 'T'emp account. */ }
- case 'U': { acct_ctrl |= ACB_NORMAL ; break; /* 'U'ser account (normal). */ }
- case 'M': { acct_ctrl |= ACB_MNS ; break; /* 'M'NS logon user account. What is this ? */ }
- case 'W': { acct_ctrl |= ACB_WSTRUST ; break; /* 'W'orkstation account. */ }
- case 'S': { acct_ctrl |= ACB_SVRTRUST ; break; /* 'S'erver account. */ }
- case 'L': { acct_ctrl |= ACB_AUTOLOCK ; break; /* 'L'ocked account. */ }
- case 'X': { acct_ctrl |= ACB_PWNOEXP ; break; /* No 'X'piry on password */ }
+ case 'T': { acct_ctrl |= ACB_TEMPDUP ; break; /* 'T'emp account. */ }
+ case 'U': { acct_ctrl |= ACB_NORMAL ; break; /* 'U'ser account (normal). */ }
+ case 'M': { acct_ctrl |= ACB_MNS ; break; /* 'M'NS logon user account. What is this ? */ }
+ case 'W': { acct_ctrl |= ACB_WSTRUST ; break; /* 'W'orkstation account. */ }
+ case 'S': { acct_ctrl |= ACB_SVRTRUST ; break; /* 'S'erver account. */ }
+ case 'L': { acct_ctrl |= ACB_AUTOLOCK ; break; /* 'L'ocked account. */ }
+ case 'X': { acct_ctrl |= ACB_PWNOEXP ; break; /* No 'X'piry on password */ }
case 'I': { acct_ctrl |= ACB_DOMTRUST ; break; /* 'I'nterdomain trust account. */ }
case ' ': { break; }
case ':':
case '\n':
- case '\0':
+ case '\0':
case ']':
default: { finished = true; }
}
rid_offset = lp_algorithmic_rid_base();
- if (rid_offset < BASE_RID) {
+ if (rid_offset < BASE_RID) {
/* Try to prevent admin foot-shooting, we can't put algorithmic
rids below 1000, that's the 'well known RIDs' on NT */
DEBUG(0, ("'algorithmic rid base' must be equal to or above %ld\n", BASE_RID));
/*******************************************************************
converts NT Group RID to a UNIX uid.
-
+
warning: you must not call that function only
you must do a call to the group mapping first.
there is not anymore a direct link between the gid and the rid.
GROUP_MAP *map;
bool ret;
- /* Windows treats "MACHINE\None" as a special name for
+ /* Windows treats "MACHINE\None" as a special name for
rid 513 on non-DCs. You cannot create a user or group
- name "None" on Windows. You will get an error that
+ name "None" on Windows. You will get an error that
the group already exists. */
if ( strequal( name, "None" ) ) {
if (ret) {
if (!sid_check_is_in_our_sam(&user_sid)) {
- DEBUG(0, ("User %s with invalid SID %s in passdb\n",
- name, sid_string_dbg(&user_sid)));
+ struct dom_sid_buf buf;
+ DBG_ERR("User %s with invalid SID %s"
+ " in passdb\n",
+ name,
+ dom_sid_str_buf(&user_sid, &buf));
return False;
}
/* BUILTIN groups are looked up elsewhere */
if (!sid_check_is_in_our_sam(&map->sid)) {
+ struct dom_sid_buf buf;
DEBUG(10, ("Found group %s (%s) not in our domain -- "
- "ignoring.", name, sid_string_dbg(&map->sid)));
+ "ignoring.\n",
+ name,
+ dom_sid_str_buf(&map->sid, &buf)));
TALLOC_FREE(map);
return False;
}
NTSTATUS local_password_change(const char *user_name,
int local_flags,
- const char *new_passwd,
+ const char *new_passwd,
char **pp_err_str,
char **pp_msg_str)
{
user_exists = pdb_getsampwnam(sam_pass, user_name);
/* Check delete first, we don't need to do anything else if we
- * are going to delete the acocunt */
+ * are going to delete the account */
if (user_exists && (local_flags & LOCAL_DELETE_USER)) {
result = pdb_delete_user(tosctx, sam_pass);
pdb_set_pass_can_change_time(sampass, pass_can_change_time, PDB_SET);
pdb_set_pass_last_set_time(sampass, pass_last_set_time, PDB_SET);
- pdb_set_username(sampass, username, PDB_SET);
+ pdb_set_username(sampass, username, PDB_SET);
pdb_set_domain(sampass, domain, PDB_SET);
pdb_set_nt_username(sampass, nt_username, PDB_SET);
pdb_set_fullname(sampass, fullname, PDB_SET);
pdb_set_homedir(sampass, homedir, PDB_SET);
}
else {
- pdb_set_homedir(sampass,
+ pdb_set_homedir(sampass,
talloc_sub_basic(sampass, username, domain,
lp_logon_home()),
PDB_DEFAULT);
}
- if (dir_drive)
+ if (dir_drive)
pdb_set_dir_drive(sampass, dir_drive, PDB_SET);
else {
- pdb_set_dir_drive(sampass,
+ pdb_set_dir_drive(sampass,
talloc_sub_basic(sampass, username, domain,
lp_logon_drive()),
PDB_DEFAULT);
}
- if (logon_script)
+ if (logon_script)
pdb_set_logon_script(sampass, logon_script, PDB_SET);
else {
- pdb_set_logon_script(sampass,
+ pdb_set_logon_script(sampass,
talloc_sub_basic(sampass, username, domain,
lp_logon_script()),
PDB_DEFAULT);
}
- if (profile_path) {
+ if (profile_path) {
pdb_set_profile_path(sampass, profile_path, PDB_SET);
} else {
- pdb_set_profile_path(sampass,
+ pdb_set_profile_path(sampass,
talloc_sub_basic(sampass, username, domain,
lp_logon_path()),
PDB_DEFAULT);
pdb_set_pass_can_change_time(sampass, pass_can_change_time, PDB_SET);
pdb_set_pass_last_set_time(sampass, pass_last_set_time, PDB_SET);
- pdb_set_username(sampass, username, PDB_SET);
+ pdb_set_username(sampass, username, PDB_SET);
pdb_set_domain(sampass, domain, PDB_SET);
pdb_set_nt_username(sampass, nt_username, PDB_SET);
pdb_set_fullname(sampass, fullname, PDB_SET);
pdb_set_homedir(sampass, homedir, PDB_SET);
}
else {
- pdb_set_homedir(sampass,
+ pdb_set_homedir(sampass,
talloc_sub_basic(sampass, username, domain,
lp_logon_home()),
PDB_DEFAULT);
}
- if (dir_drive)
+ if (dir_drive)
pdb_set_dir_drive(sampass, dir_drive, PDB_SET);
else {
- pdb_set_dir_drive(sampass,
+ pdb_set_dir_drive(sampass,
talloc_sub_basic(sampass, username, domain,
lp_logon_drive()),
PDB_DEFAULT);
}
- if (logon_script)
+ if (logon_script)
pdb_set_logon_script(sampass, logon_script, PDB_SET);
else {
- pdb_set_logon_script(sampass,
+ pdb_set_logon_script(sampass,
talloc_sub_basic(sampass, username, domain,
lp_logon_script()),
PDB_DEFAULT);
}
- if (profile_path) {
+ if (profile_path) {
pdb_set_profile_path(sampass, profile_path, PDB_SET);
} else {
- pdb_set_profile_path(sampass,
+ pdb_set_profile_path(sampass,
talloc_sub_basic(sampass, username, domain,
lp_logon_path()),
PDB_DEFAULT);
pdb_set_pass_can_change_time(sampass, pass_can_change_time, PDB_SET);
pdb_set_pass_last_set_time(sampass, pass_last_set_time, PDB_SET);
- pdb_set_username(sampass, username, PDB_SET);
+ pdb_set_username(sampass, username, PDB_SET);
pdb_set_domain(sampass, domain, PDB_SET);
pdb_set_nt_username(sampass, nt_username, PDB_SET);
pdb_set_fullname(sampass, fullname, PDB_SET);
pdb_set_homedir(sampass, tmp_string, PDB_SET);
}
else {
- pdb_set_homedir(sampass,
+ pdb_set_homedir(sampass,
talloc_sub_basic(sampass, username, domain,
lp_logon_home()),
PDB_DEFAULT);
}
- if (dir_drive)
+ if (dir_drive)
pdb_set_dir_drive(sampass, dir_drive, PDB_SET);
else
pdb_set_dir_drive(sampass, lp_logon_drive(), PDB_DEFAULT );
pdb_set_logon_script(sampass, tmp_string, PDB_SET);
}
else {
- pdb_set_logon_script(sampass,
+ pdb_set_logon_script(sampass,
talloc_sub_basic(sampass, username, domain,
lp_logon_script()),
PDB_DEFAULT);
}
- if (profile_path) {
+ if (profile_path) {
fstrcpy( tmp_string, profile_path );
if (expand_explicit) {
standard_sub_basic( username, domain, tmp_string,
sizeof(tmp_string) );
}
pdb_set_profile_path(sampass, tmp_string, PDB_SET);
- }
+ }
else {
- pdb_set_profile_path(sampass,
+ pdb_set_profile_path(sampass,
talloc_sub_basic(sampass, username, domain,
lp_logon_path()),
PDB_DEFAULT);
pdb_set_pass_can_change_time(sampass, convert_uint32_t_to_time_t(pass_can_change_time), PDB_SET);
pdb_set_pass_last_set_time(sampass, convert_uint32_t_to_time_t(pass_last_set_time), PDB_SET);
- pdb_set_username(sampass, username, PDB_SET);
+ pdb_set_username(sampass, username, PDB_SET);
pdb_set_domain(sampass, domain, PDB_SET);
pdb_set_nt_username(sampass, nt_username, PDB_SET);
pdb_set_fullname(sampass, fullname, PDB_SET);
pdb_set_homedir(sampass, tmp_string, PDB_SET);
}
else {
- pdb_set_homedir(sampass,
+ pdb_set_homedir(sampass,
talloc_sub_basic(sampass, username, domain,
lp_logon_home()),
PDB_DEFAULT);
}
- if (dir_drive)
+ if (dir_drive)
pdb_set_dir_drive(sampass, dir_drive, PDB_SET);
else
pdb_set_dir_drive(sampass, lp_logon_drive(), PDB_DEFAULT );
pdb_set_logon_script(sampass, tmp_string, PDB_SET);
}
else {
- pdb_set_logon_script(sampass,
+ pdb_set_logon_script(sampass,
talloc_sub_basic(sampass, username, domain,
lp_logon_script()),
PDB_DEFAULT);
}
- if (profile_path) {
+ if (profile_path) {
fstrcpy( tmp_string, profile_path );
if (expand_explicit) {
standard_sub_basic( username, domain, tmp_string,
sizeof(tmp_string) );
}
pdb_set_profile_path(sampass, tmp_string, PDB_SET);
- }
+ }
else {
- pdb_set_profile_path(sampass,
+ pdb_set_profile_path(sampass,
talloc_sub_basic(sampass, username, domain, lp_logon_path()),
PDB_DEFAULT);
}
if (munged_dial) {
munged_dial_len = strlen(munged_dial) +1;
} else {
- munged_dial_len = 0;
+ munged_dial_len = 0;
}
/* SAMU_BUFFER_FORMAT_V3 "dddddddBBBBBBBBBBBBddBBBdwdBwwd" */
/* check to make sure we got it correct */
if (buflen != len) {
- DEBUG(0, ("init_buffer_from_samu_v3: somthing odd is going on here: bufflen (%lu) != len (%lu) in tdb_pack operations!\n",
- (unsigned long)buflen, (unsigned long)len));
+ DEBUG(0, ("init_buffer_from_samu_v3: something odd is going on here: bufflen (%lu) != len (%lu) in tdb_pack operations!\n",
+ (unsigned long)buflen, (unsigned long)len));
/* error */
SAFE_FREE (*buf);
return (-1);
}
LastBadPassword = pdb_get_bad_password_time(sampass);
- DEBUG(7, ("LastBadPassword=%d, resettime=%d, current time=%d.\n",
+ DEBUG(7, ("LastBadPassword=%d, resettime=%d, current time=%d.\n",
(uint32_t) LastBadPassword, resettime, (uint32_t)time(NULL)));
if (time(NULL) > (LastBadPassword + convert_uint32_t_to_time_t(resettime)*60)){
pdb_set_bad_password_count(sampass, 0, PDB_CHANGED);
}
/*********************************************************************
- Increment the bad_password_count
+ Increment the bad_password_count
*********************************************************************/
bool pdb_increment_bad_password_count(struct samu *sampass)
return False;
/*
- Ok, now we can assume that any resetting that needs to be
+ Ok, now we can assume that any resetting that needs to be
done has been done, and just get on with incrementing
and autolocking if necessary
*/
- pdb_set_bad_password_count(sampass,
+ pdb_set_bad_password_count(sampass,
pdb_get_bad_password_count(sampass)+1,
PDB_CHANGED);
pdb_set_bad_password_time(sampass, time(NULL), PDB_CHANGED);
- if (pdb_get_bad_password_count(sampass) < account_policy_lockout)
+ if (pdb_get_bad_password_count(sampass) < account_policy_lockout)
return True;
if (!pdb_set_acct_ctrl(sampass,
pdb_get_acct_ctrl(sampass) | ACB_AUTOLOCK,
PDB_CHANGED)) {
- DEBUG(1, ("pdb_increment_bad_password_count:failed to set 'autolock' flag. \n"));
+ DEBUG(1, ("pdb_increment_bad_password_count:failed to set 'autolock' flag. \n"));
return False;
}
struct samr_Password *previous_nt_hash = NULL;
E_md4hash(cur_pw, current_nt_hash->hash);
- SAFE_FREE(cur_pw);
+ BURN_FREE_STR(cur_pw);
if (prev_pw == NULL) {
return true;
}
E_md4hash(prev_pw, previous_nt_hash->hash);
- SAFE_FREE(prev_pw);
+ BURN_FREE_STR(prev_pw);
*_previous_nt_hash = previous_nt_hash;
return true;
struct cli_credentials **_creds)
{
TALLOC_CTX *frame = talloc_stackframe();
- NTSTATUS status = NT_STATUS_INTERNAL_ERROR;
+ NTSTATUS status;
struct loadparm_context *lp_ctx;
enum netr_SchannelType channel;
time_t last_set_time;
struct cli_credentials *creds = NULL;
bool ok;
- lp_ctx = loadparm_init_s3(frame, loadparm_s3_helpers());
- if (lp_ctx == NULL) {
- DEBUG(1, ("loadparm_init_s3 failed\n"));
- status = NT_STATUS_INTERNAL_ERROR;
- goto fail;
- }
-
- creds = cli_credentials_init(mem_ctx);
- if (creds == NULL) {
- status = NT_STATUS_NO_MEMORY;
- goto fail;
- }
-
- cli_credentials_set_conf(creds, lp_ctx);
-
- ok = cli_credentials_set_domain(creds, netbios_domain, CRED_SPECIFIED);
- if (!ok) {
- status = NT_STATUS_NO_MEMORY;
- goto fail;
- }
-
/*
* If this is our primary trust relationship, use the common
* code to read the secrets.ldb or secrets.tdb file.
goto fail;
}
+ lp_ctx = loadparm_init_s3(frame, loadparm_s3_helpers());
+ if (lp_ctx == NULL) {
+ DEBUG(1, ("loadparm_init_s3 failed\n"));
+ status = NT_STATUS_INTERNAL_ERROR;
+ goto fail;
+ }
+
+ creds = cli_credentials_init(mem_ctx);
+ if (creds == NULL) {
+ status = NT_STATUS_NO_MEMORY;
+ goto fail;
+ }
+
+ ok = cli_credentials_set_conf(creds, lp_ctx);
+ if (!ok) {
+ status = NT_STATUS_INTERNAL_ERROR;
+ goto fail;
+ }
+
+ ok = cli_credentials_set_domain(creds, netbios_domain, CRED_SPECIFIED);
+ if (!ok) {
+ status = NT_STATUS_NO_MEMORY;
+ goto fail;
+ }
+
status = cli_credentials_set_machine_account_db_ctx(creds,
lp_ctx,
db_ctx);
goto fail;
}
+ status = pdb_get_trusteddom_creds(netbios_domain, mem_ctx, &creds);
+ if (NT_STATUS_IS_OK(status)) {
+ goto done;
+ }
+ if (!NT_STATUS_EQUAL(status, NT_STATUS_NOT_IMPLEMENTED)) {
+ goto fail;
+ }
+
ok = get_trust_pw_clear2(netbios_domain,
&_account_name,
&channel,
goto fail;
}
+ lp_ctx = loadparm_init_s3(frame, loadparm_s3_helpers());
+ if (lp_ctx == NULL) {
+ DEBUG(1, ("loadparm_init_s3 failed\n"));
+ status = NT_STATUS_INTERNAL_ERROR;
+ goto fail;
+ }
+
+ creds = cli_credentials_init(mem_ctx);
+ if (creds == NULL) {
+ status = NT_STATUS_NO_MEMORY;
+ goto fail;
+ }
+
+ ok = cli_credentials_set_conf(creds, lp_ctx);
+ if (!ok) {
+ status = NT_STATUS_INTERNAL_ERROR;
+ goto fail;
+ }
+
cli_credentials_set_secure_channel_type(creds, channel);
cli_credentials_set_password_last_changed_time(creds, last_set_time);
status = NT_STATUS_NO_MEMORY;
goto fail;
}
+
+ /*
+ * It's not possible to use NTLMSSP with a domain trust account.
+ */
+ cli_credentials_set_kerberos_state(creds,
+ CRED_USE_KERBEROS_REQUIRED,
+ CRED_SPECIFIED);
+ } else {
+ /*
+ * We can't use kerberos against an NT4 domain.
+ *
+ * We should have a mode that also disallows NTLMSSP here,
+ * as only NETLOGON SCHANNEL is possible.
+ */
+ cli_credentials_set_kerberos_state(creds,
+ CRED_USE_KERBEROS_DISABLED,
+ CRED_SPECIFIED);
}
ok = cli_credentials_set_username(creds, account_name, CRED_SPECIFIED);
status = NT_STATUS_NO_MEMORY;
goto fail;
}
+ /*
+ * We currently can't do kerberos just with an NTHASH.
+ */
+ cli_credentials_set_kerberos_state(creds,
+ CRED_USE_KERBEROS_DISABLED,
+ CRED_SPECIFIED);
goto done;
}