#include "librpc/gen_ndr/samr.h" /* for struct samrPassword */
#include "param/secrets.h"
#include "system/filesys.h"
-#include "util/util_ldb.h"
+#include "../lib/util/util_ldb.h"
#include "auth/credentials/credentials.h"
#include "auth/credentials/credentials_krb5.h"
+#include "auth/credentials/credentials_proto.h"
#include "param/param.h"
#include "lib/events/events.h"
+#include "dsdb/samdb/samdb.h"
+
/**
* Read a file descriptor, and parse it for a password (eg from a file or stdin)
char **lines;
int i, numlines;
- lines = file_lines_load(file, &numlines, NULL);
+ lines = file_lines_load(file, &numlines, 0, NULL);
if (lines == NULL)
{
* @retval NTSTATUS error detailing any failure
*/
_PUBLIC_ NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred,
- struct event_context *event_ctx,
+ struct tevent_context *event_ctx,
struct loadparm_context *lp_ctx,
struct ldb_context *ldb,
const char *base,
"privateKeytab",
"krb5Keytab",
"servicePrincipalName",
+ "ldapBindDn",
NULL
};
/* set anonymous as the fallback, if the machine account won't work */
cli_credentials_set_anonymous(cred);
DEBUG(1, ("Could not open secrets.ldb\n"));
+ talloc_free(mem_ctx);
return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
}
}
&msgs, attrs,
"%s", filter);
if (ldb_ret == 0) {
- DEBUG(1, ("Could not find entry to match filter: '%s' base: '%s'\n",
+ DEBUG(5, ("(normal if no LDAP backend required) Could not find entry to match filter: '%s' base: '%s'\n",
filter, base));
/* set anonymous as the fallback, if the machine account won't work */
cli_credentials_set_anonymous(cred);
talloc_free(mem_ctx);
return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
} else if (ldb_ret != 1) {
- DEBUG(1, ("Found more than one (%d) entry to match filter: '%s' base: '%s'\n",
+ DEBUG(5, ("Found more than one (%d) entry to match filter: '%s' base: '%s'\n",
ldb_ret, filter, base));
/* set anonymous as the fallback, if the machine account won't work */
cli_credentials_set_anonymous(cred);
machine_account = ldb_msg_find_attr_as_string(msgs[0], "servicePrincipalName", NULL);
if (!machine_account) {
- DEBUG(1, ("Could not find 'samAccountName' in join record to domain: %s: filter: '%s' base: '%s'\n",
- cli_credentials_get_domain(cred), filter, base));
- /* set anonymous as the fallback, if the machine account won't work */
- cli_credentials_set_anonymous(cred);
- talloc_free(mem_ctx);
- return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
+ const char *ldap_bind_dn = ldb_msg_find_attr_as_string(msgs[0], "ldapBindDn", NULL);
+ if (!ldap_bind_dn) {
+ DEBUG(1, ("Could not find 'samAccountName', 'servicePrincipalName' or 'ldapBindDn' in secrets record: filter: '%s' base: '%s'\n",
+ filter, base));
+ /* set anonymous as the fallback, if the machine account won't work */
+ cli_credentials_set_anonymous(cred);
+ talloc_free(mem_ctx);
+ return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
+ } else {
+ /* store bind dn in credentials */
+ cli_credentials_set_bind_dn(cred, ldap_bind_dn);
+ }
}
}
cli_credentials_set_realm(cred, realm, CRED_SPECIFIED);
}
- cli_credentials_set_username(cred, machine_account, CRED_SPECIFIED);
+ if (machine_account) {
+ cli_credentials_set_username(cred, machine_account, CRED_SPECIFIED);
+ }
cli_credentials_set_kvno(cred, ldb_msg_find_attr_as_int(msgs[0], "msDS-KeyVersionNumber", 0));
} else {
keytab = ldb_msg_find_attr_as_string(msgs[0], "privateKeytab", NULL);
if (keytab) {
- keytab = talloc_asprintf(mem_ctx, "FILE:%s", private_path(mem_ctx, lp_ctx, keytab));
+ keytab = talloc_asprintf(mem_ctx, "FILE:%s", samdb_relative_path(ldb, mem_ctx, keytab));
if (keytab) {
cli_credentials_set_keytab_name(cred, event_ctx, lp_ctx, keytab, CRED_SPECIFIED);
}
_PUBLIC_ NTSTATUS cli_credentials_set_machine_account(struct cli_credentials *cred,
struct loadparm_context *lp_ctx)
{
+ NTSTATUS status;
char *filter;
/* Bleh, nasty recursion issues: We are setting a machine
* account here, so we don't want the 'pending' flag around
cred->machine_account_pending = false;
filter = talloc_asprintf(cred, SECRETS_PRIMARY_DOMAIN_FILTER,
cli_credentials_get_domain(cred));
- return cli_credentials_set_secrets(cred, event_context_find(cred), lp_ctx, NULL,
+ status = cli_credentials_set_secrets(cred, event_context_find(cred), lp_ctx, NULL,
SECRETS_PRIMARY_DOMAIN_DN,
filter);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(1, ("Could not find machine account in secrets database: %s", nt_errstr(status)));
+ }
+ return status;
}
/**
* @retval NTSTATUS error detailing any failure
*/
NTSTATUS cli_credentials_set_krbtgt(struct cli_credentials *cred,
- struct event_context *event_ctx,
+ struct tevent_context *event_ctx,
struct loadparm_context *lp_ctx)
{
+ NTSTATUS status;
char *filter;
/* Bleh, nasty recursion issues: We are setting a machine
* account here, so we don't want the 'pending' flag around
filter = talloc_asprintf(cred, SECRETS_KRBTGT_SEARCH,
cli_credentials_get_realm(cred),
cli_credentials_get_domain(cred));
- return cli_credentials_set_secrets(cred, event_ctx, lp_ctx, NULL,
+ status = cli_credentials_set_secrets(cred, event_ctx, lp_ctx, NULL,
SECRETS_PRINCIPALS_DN,
filter);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(1, ("Could not find krbtgt (master Kerberos) account in secrets database: %s", nt_errstr(status)));
+ }
+ return status;
}
/**
- * Fill in credentials for the machine trust account, from the secrets database.
+ * Fill in credentials for a particular prinicpal, from the secrets database.
*
* @param cred Credentials structure to fill in
* @retval NTSTATUS error detailing any failure
*/
_PUBLIC_ NTSTATUS cli_credentials_set_stored_principal(struct cli_credentials *cred,
- struct event_context *event_ctx,
+ struct tevent_context *event_ctx,
struct loadparm_context *lp_ctx,
const char *serviceprincipal)
{
+ NTSTATUS status;
char *filter;
/* Bleh, nasty recursion issues: We are setting a machine
* account here, so we don't want the 'pending' flag around
cli_credentials_get_realm(cred),
cli_credentials_get_domain(cred),
serviceprincipal);
- return cli_credentials_set_secrets(cred, event_ctx, lp_ctx, NULL,
+ status = cli_credentials_set_secrets(cred, event_ctx, lp_ctx, NULL,
SECRETS_PRINCIPALS_DN, filter);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(1, ("Could not find %s principal in secrets database: %s", serviceprincipal, nt_errstr(status)));
+ }
+ return status;
}
/**