Modify winbindd to use authenticated user info from secrets.tdb when making

IPC$ connections to domain controllers.
(This used to be commit 1217ef28a6c18c085fcb2eac3bf04866c166d959)

diff --git a/source3/Makefile.in b/source3/Makefile.in
index ff9c9085f5b300366cb158baebf937e89955e9bf..e5920600c581c58363987540e9a3abc4a0117679 100644 (file)
--- a/source3/Makefile.in
+++ b/source3/Makefile.in
@@ -439,7 +439,8 @@ WINBINDD_OBJ = \
                $(GROUPDB_OBJ) $(PROFILE_OBJ) \
                $(NECESSARY_BECAUSE_SAMBA_DEPENDENCIES_ARE_SO_BROKEN_OBJ)
 
-WBINFO_OBJ = nsswitch/wbinfo.o libsmb/smbencrypt.o libsmb/smbdes.o
+WBINFO_OBJ = nsswitch/wbinfo.o libsmb/smbencrypt.o libsmb/smbdes.o \
+       passdb/secrets.o
 
 WINBIND_NSS_OBJ = nsswitch/winbind_nss.o nsswitch/wb_common.o
 
@@ -713,10 +714,11 @@ nsswitch/pam_winbind.so: $(PAM_WINBIND_OBJ) bin/.dummy
        @echo Linking $@
        @$(LINK) $(LDSHFLAGS) -o $@ $(PAM_WINBIND_OBJ)
 
-bin/wbinfo: $(WBINFO_OBJ) $(PARAM_OBJ) $(LIB_OBJ) $(NOPROTO_OBJ) $(UBIQX_OBJ) bin/.dummy
+bin/wbinfo: $(WBINFO_OBJ) $(PARAM_OBJ) $(LIB_OBJ) $(NOPROTO_OBJ) \
+               $(UBIQX_OBJ) @BUILD_POPT@ bin/.dummy
        @echo Linking $@
        @$(LINK) -o $@ $(WBINFO_OBJ) $(PARAM_OBJ) $(LIB_OBJ) $(NOPROTO_OBJ) \
-               $(UBIQX_OBJ) $(LIBS)
+               $(UBIQX_OBJ) $(LIBS) @BUILD_POPT@
 
 bin/pam_smbpass.@SHLIBEXT@: $(PAM_SMBPASS_PICOOBJ)
        @echo "Linking shared library $@"

diff --git a/source3/nsswitch/winbindd.h b/source3/nsswitch/winbindd.h
index 40514cc83a5426c7b88422bbccf0e9f0a111404b..2a6fa22961a739520f7755bce9015e30675a4556 100644 (file)
--- a/source3/nsswitch/winbindd.h
+++ b/source3/nsswitch/winbindd.h
@@ -194,4 +194,9 @@ typedef struct {
 #define SETENV(name, value, overwrite) ;
 #endif
 
+/* Authenticated user info is stored in secrets.tdb under these keys */
+
+#define SECRETS_AUTH_USER      "SECRETS/AUTH_USER"
+#define SECRETS_AUTH_PASSWORD  "SECRETS/AUTH_PASSWORD"
+
 #endif /* _WINBINDD_H */

diff --git a/source3/nsswitch/winbindd_cm.c b/source3/nsswitch/winbindd_cm.c
index 987b28e09cc392c3dc265a453d78b0e875e7c2f9..31ab61a7de4018f75bcaad1de5d1349ece2cf056 100644 (file)
--- a/source3/nsswitch/winbindd_cm.c
+++ b/source3/nsswitch/winbindd_cm.c
@@ -182,6 +182,34 @@ static BOOL cm_get_dc_name(char *domain, fstring srv_name)
        return True;
 }
 
+/* Choose between anonymous or authenticated connections.  We need to use
+   an authenticated connection if DCs have the RestrictAnonymous registry
+   entry set > 0, or the "Additional restrictions for anonymous
+   connections" set in the win2k Local Security Policy. */
+
+void cm_init_creds(struct ntuser_creds *creds)
+{
+       char *username, *password;
+
+       ZERO_STRUCTP(creds);
+
+       creds->pwd.null_pwd = True; /* anonymoose */
+
+       username = secrets_fetch(SECRETS_AUTH_USER, NULL);
+       password = secrets_fetch(SECRETS_AUTH_PASSWORD, NULL);
+
+       if (username && *username) {
+               pwd_set_cleartext(&creds->pwd, password);
+
+               fstrcpy(creds->user_name, username);
+               fstrcpy(creds->domain, lp_workgroup());
+
+               DEBUG(3, ("IPC$ connections done %s\\%s\n", creds->domain,
+                         creds->user_name));
+       } else 
+               DEBUG(3, ("IPC$ connections done anonymously\n"));
+}
+
 /* Open a new smb pipe connection to a DC on a given domain.  Cache
    negative creation attempts so we don't try and connect to broken
    machines too often. */
@@ -257,8 +285,7 @@ static BOOL cm_open_connection(char *domain, char *pipe_name,
        make_nmb_name(&called, dns_to_netbios_name(new_conn->controller), 0x20);
        make_nmb_name(&calling, dns_to_netbios_name(global_myname), 0);
 
-       ZERO_STRUCT(creds);
-       creds.pwd.null_pwd = 1;
+       cm_init_creds(&creds);
 
        cli_init_creds(new_conn->cli, &creds);