added a REALLY gross hack into kerberos_kinit_password so that

winbindd can do a kinit
this will be removed once we have code that gets a tgt
and puts it in a place where cyrus-sasl can see it
(This used to be commit 7d94f1b7365215a020d3678d03d820a7d086174f)

diff --git a/source3/include/ads.h b/source3/include/ads.h
index 36351c1c2bf3cbed6f18f1fa69c927978bf16629..9c5e26f703826587fa283cc51f3b6249f09e5014 100644 (file)
--- a/source3/include/ads.h
+++ b/source3/include/ads.h
@@ -12,6 +12,7 @@ typedef struct {
        int ldap_port;
        char *bind_path;
        time_t last_attempt;
+       char *password;
 } ADS_STRUCT;
 
 

diff --git a/source3/libads/ads_struct.c b/source3/libads/ads_struct.c
index 2d8bf061564906ce2ed9c0795d0c3108e3edde7d..83c8f5b4043d37ca34035568fddeb5a5aa1c55db 100644 (file)
--- a/source3/libads/ads_struct.c
+++ b/source3/libads/ads_struct.c
@@ -134,7 +134,8 @@ static char *find_ldap_server(ADS_STRUCT *ads)
 */
 ADS_STRUCT *ads_init(const char *realm, 
                     const char *ldap_server,
-                    const char *bind_path)
+                    const char *bind_path,
+                    const char *password)
 {
        ADS_STRUCT *ads;
        
@@ -145,6 +146,7 @@ ADS_STRUCT *ads_init(const char *realm,
        ads->ldap_server = ldap_server? strdup(ldap_server) : NULL;
        ads->bind_path = bind_path? strdup(bind_path) : NULL;
        ads->ldap_port = LDAP_PORT;
+       if (password) ads->password = strdup(password);
 
        if (!ads->realm) {
                ads->realm = strdup(lp_realm());
@@ -181,6 +183,7 @@ void ads_destroy(ADS_STRUCT **ads)
                SAFE_FREE((*ads)->ldap_server);
                SAFE_FREE((*ads)->kdc_server);
                SAFE_FREE((*ads)->bind_path);
+               SAFE_FREE((*ads)->password);
                ZERO_STRUCTP(*ads);
                SAFE_FREE(*ads);
        }

diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
index a3aa8b16617841ad9fcaf66bda724fbb8728008a..1b0de382bdf2563ab2720b1f8395046f676d8061 100644 (file)
--- a/source3/libads/kerberos.c
+++ b/source3/libads/kerberos.c
@@ -23,6 +23,27 @@
 
 #ifdef HAVE_KRB5
 
+
+/* VERY nasty hack until we have proper kerberos code for this */
+void kerberos_kinit_password(ADS_STRUCT *ads)
+{
+       char *s;
+       FILE *f;
+       extern pstring global_myname;
+       fstring myname;
+       fstrcpy(myname, global_myname);
+       strlower(myname);
+       asprintf(&s, "kinit 'HOST/%s@%s'", global_myname, ads->realm);
+       DEBUG(0,("HACK!! Running %s\n", s));
+       f = popen(s, "w");
+       if (f) {
+               fprintf(f,"%s\n", ads->password);
+               fflush(f);
+               fclose(f);
+       }
+       free(s);
+}
+
 /*
   verify an incoming ticket and parse out the principal name and 
   authorization_data if available 

diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c
index 14fd716058baadea4cec65cc46777882bd3934e4..287ea225a18d5d343af73b1fd1e1fa0bd1f7c23d 100644 (file)
--- a/source3/libads/ldap.c
+++ b/source3/libads/ldap.c
@@ -70,6 +70,10 @@ int ads_connect(ADS_STRUCT *ads)
        }
        ldap_set_option(ads->ld, LDAP_OPT_PROTOCOL_VERSION, &version);
 
+       if (ads->password) {
+               kerberos_kinit_password(ads);
+       }
+
        rc = ldap_sasl_interactive_bind_s(ads->ld, NULL, NULL, NULL, NULL, 
                                          LDAP_SASL_QUIET,
                                          sasl_interact, NULL);

diff --git a/source3/nsswitch/winbindd_ads.c b/source3/nsswitch/winbindd_ads.c
index 145f2b68d18940c36c83ddb6ce3f95d2e65cad1f..edf4d45c387abfa473d002be171efa106eabffb9 100644 (file)
--- a/source3/nsswitch/winbindd_ads.c
+++ b/source3/nsswitch/winbindd_ads.c
@@ -38,7 +38,7 @@ static ADS_STRUCT *ads_cached_connection(struct winbindd_domain *domain)
                return (ADS_STRUCT *)domain->private;
        }
 
-       ads = ads_init(NULL, NULL, NULL);
+       ads = ads_init(NULL, NULL, NULL, secrets_fetch_machine_password());
        if (!ads) {
                DEBUG(1,("ads_init for domain %s failed\n", domain->name));
                return NULL;

diff --git a/source3/smbd/negprot.c b/source3/smbd/negprot.c
index 78d4da3a757037c3cbbeb24a729df9d45681e018..b99d2395407200c00b261a66e3d4e2d13ebdfc63 100644 (file)
--- a/source3/smbd/negprot.c
+++ b/source3/smbd/negprot.c
@@ -186,7 +186,7 @@ static int negprot_spnego(char *p)
 #endif
        {
                ADS_STRUCT *ads;
-               ads = ads_init(NULL, NULL, NULL);
+               ads = ads_init(NULL, NULL, NULL, NULL);
                
                /* win2000 uses host$@REALM, which we will probably use eventually,
                   but for now this works */

diff --git a/source3/smbd/sesssetup.c b/source3/smbd/sesssetup.c
index 35155c0decc4afa48420ac0ca3b62f908c74e89f..8e7ee38504631307848e0ff7d57b4c5f4f80768c 100644 (file)
--- a/source3/smbd/sesssetup.c
+++ b/source3/smbd/sesssetup.c
@@ -87,7 +87,7 @@ static int reply_spnego_kerberos(connection_struct *conn,
                return ERROR_NT(NT_STATUS_LOGON_FAILURE);
        }
 
-       ads = ads_init(NULL, NULL, NULL);
+       ads = ads_init(NULL, NULL, NULL, NULL);
 
        ret = ads_verify_ticket(ads, &ticket, &client, &auth_data);
        if (!NT_STATUS_IS_OK(ret)) {

diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
index a1ea063b208c626bec633bf59c8eba8c2e1ab101..c956d9bb65ded67106371193f600f6c2b34ad438 100644 (file)
--- a/source3/utils/net_ads.c
+++ b/source3/utils/net_ads.c
@@ -44,7 +44,7 @@ static ADS_STRUCT *ads_startup(void)
 {
        ADS_STRUCT *ads;
        int rc;
-       ads = ads_init(NULL, NULL, NULL);
+       ads = ads_init(NULL, NULL, NULL, NULL);
 
        rc = ads_connect(ads);
        if (rc) {