}
cli_credentials_set_conf(session_info->credentials);
- /* set anonymous as the fallback, if the machine account won't work */
- cli_credentials_set_anonymous(session_info->credentials);
cli_credentials_set_machine_account_pending(session_info->credentials);
*_session_info = session_info;
BOOL cli_credentials_authentication_requested(struct cli_credentials *cred)
{
+ if (cred->machine_account_pending) {
+ cli_credentials_set_machine_account(cred);
+ }
+
if (cred->principal_obtained >= CRED_SPECIFIED) {
return True;
}
/* Local secrets are stored in secrets.ldb */
ldb = secrets_db_connect(mem_ctx);
if (!ldb) {
+ /* set anonymous as the fallback, if the machine account won't work */
+ cli_credentials_set_anonymous(cred);
DEBUG(1, ("Could not open secrets.ldb\n"));
return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
}
if (ldb_ret == 0) {
DEBUG(1, ("Could not find entry to match filter: %s\n",
filter));
+ /* set anonymous as the fallback, if the machine account won't work */
+ cli_credentials_set_anonymous(cred);
talloc_free(mem_ctx);
return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
} else if (ldb_ret != 1) {
DEBUG(1, ("Found more than one (%d) entry to match filter: %s\n",
ldb_ret, filter));
+ /* set anonymous as the fallback, if the machine account won't work */
+ cli_credentials_set_anonymous(cred);
talloc_free(mem_ctx);
return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
}
if (!machine_account) {
DEBUG(1, ("Could not find 'samAccountName' in join record to domain: %s\n",
cli_credentials_get_domain(cred)));
+ /* set anonymous as the fallback, if the machine account won't work */
+ cli_credentials_set_anonymous(cred);
talloc_free(mem_ctx);
return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
}
DEBUG(1, ("Could not find 'secret' in join record to domain: %s\n",
cli_credentials_get_domain(cred)));
+
+ /* set anonymous as the fallback, if the machine account won't work */
+ cli_credentials_set_anonymous(cred);
+
talloc_free(mem_ctx);
return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
}
*/
NTSTATUS cli_credentials_set_machine_account(struct cli_credentials *cred)
{
- char *filter = talloc_asprintf(cred, SECRETS_PRIMARY_DOMAIN_FILTER,
+ char *filter;
+ /* Bleh, nasty recursion issues: We are setting a machine
+ * account here, so we don't want the 'pending' flag around
+ * any more */
+ cred->machine_account_pending = False;
+ filter = talloc_asprintf(cred, SECRETS_PRIMARY_DOMAIN_FILTER,
cli_credentials_get_domain(cred));
return cli_credentials_set_secrets(cred, SECRETS_PRIMARY_DOMAIN_DN,
filter);
*/
NTSTATUS cli_credentials_set_krbtgt(struct cli_credentials *cred)
{
- char *filter = talloc_asprintf(cred, SECRETS_KRBTGT_SEARCH,
+ char *filter;
+ /* Bleh, nasty recursion issues: We are setting a machine
+ * account here, so we don't want the 'pending' flag around
+ * any more */
+ cred->machine_account_pending = False;
+ filter = talloc_asprintf(cred, SECRETS_KRBTGT_SEARCH,
cli_credentials_get_realm(cred),
cli_credentials_get_domain(cred));
return cli_credentials_set_secrets(cred, SECRETS_PRINCIPALS_DN,
NTSTATUS cli_credentials_set_stored_principal(struct cli_credentials *cred,
const char *serviceprincipal)
{
- char *filter = talloc_asprintf(cred, SECRETS_PRINCIPAL_SEARCH,
- cli_credentials_get_realm(cred),
- cli_credentials_get_domain(cred),
- serviceprincipal);
+ char *filter;
+ /* Bleh, nasty recursion issues: We are setting a machine
+ * account here, so we don't want the 'pending' flag around
+ * any more */
+ cred->machine_account_pending = False;
+ filter = talloc_asprintf(cred, SECRETS_PRINCIPAL_SEARCH,
+ cli_credentials_get_realm(cred),
+ cli_credentials_get_domain(cred),
+ serviceprincipal);
return cli_credentials_set_secrets(cred, SECRETS_PRINCIPALS_DN,
filter);
}
existed = file_exists(path);
- ldb = ldb_wrap_connect(mem_ctx, path, LDB_FLG_NOSYNC, NULL);
+ ldb = ldb_wrap_connect(mem_ctx, path, system_session(mem_ctx),
+ NULL, LDB_FLG_NOSYNC, NULL);
talloc_free(path);
if (!ldb) {
return NULL;
connect to the SAM database
return an opaque context pointer on success, or NULL on failure
*/
-struct ldb_context *samdb_connect(TALLOC_CTX *mem_ctx, struct auth_session_info *session_info)
+struct ldb_context *samdb_connect(TALLOC_CTX *mem_ctx,
+ struct auth_session_info *session_info)
{
struct ldb_context *ldb;
- ldb = ldb_wrap_connect(mem_ctx, lp_sam_url(), 0, NULL);
- if (ldb_set_opaque(ldb, "sessionInfo", session_info)) {
+ ldb = ldb_wrap_connect(mem_ctx, lp_sam_url(), session_info,
+ NULL, 0, NULL);
+ if (!ldb) {
return NULL;
}
return ldb;
url = lp_parm_string(-1, "ldapsrv", "samdb");
if (url) {
- ldb = ldb_wrap_connect(mem_ctx, url, 0, NULL);
+ ldb = ldb_wrap_connect(mem_ctx, url, conn->session_info,
+ NULL, 0, NULL);
if (ldb == NULL) {
talloc_free(mem_ctx);
return NT_STATUS_INTERNAL_DB_CORRUPTION;
}
- if (ldb_set_opaque(ldb, "sessionInfo", conn->session_info)) {
- talloc_free(mem_ctx);
- return NT_STATUS_NO_MEMORY;
- }
talloc_steal(partition, ldb);
partition->private = ldb;
talloc_free(mem_ctx);
*/
struct ldb_context *ldb_wrap_connect(TALLOC_CTX *mem_ctx,
const char *url,
+ struct auth_session_info *session_info,
+ struct cli_credentials *credentials,
unsigned int flags,
const char *options[])
{
ev = event_context_find(ldb);
if (ldb_set_opaque(ldb, "EventContext", ev)) {
+ talloc_free(ldb);
+ return NULL;
+ }
+
+ if (ldb_set_opaque(ldb, "sessionInfo", session_info)) {
+ talloc_free(ldb);
+ return NULL;
+ }
+
+ if (ldb_set_opaque(ldb, "credentials", credentials)) {
+ talloc_free(ldb);
return NULL;
}
msg = ldapres[i];
search = &msg->r.SearchResultEntry;
- (*res)->msgs[i] = talloc(*res, struct ldb_message);
+ (*res)->msgs[i] = talloc((*res)->msgs, struct ldb_message);
if (!(*res)->msgs[i]) {
goto failed;
}
creds = talloc_get_type(ldb_get_opaque(ldb, "credentials"), struct cli_credentials);
if (creds == NULL) {
struct auth_session_info *session_info = talloc_get_type(ldb_get_opaque(ldb, "sessionInfo"), struct auth_session_info);
- if (session_info && session_info->credentials) {
+ if (session_info) {
creds = session_info->credentials;
- } else {
- creds = cmdline_credentials;
}
}
struct ldb_context *wrap;
if (!hive->location) return WERR_INVALID_PARAM;
- wrap = ldb_wrap_connect(hive, hive->location, 0, NULL);
+ /* TODO: Support remoting with credentials and ACLs with session tokens */
+ wrap = ldb_wrap_connect(hive, hive->location, NULL, NULL, 0, NULL);
if(!wrap) {
DEBUG(1, ("ldb_open_hive: unable to connect\n"));
return NT_STATUS_NO_MEMORY;
}
- remote_ldb = ldb_wrap_connect(tmp_ctx, remote_ldb_url, 0, NULL);
+ remote_ldb = ldb_wrap_connect(tmp_ctx, remote_ldb_url,
+ NULL, ctx->cred, 0, NULL);
if (!remote_ldb) {
r->out.error_string = NULL;
talloc_free(tmp_ctx);
}
}
- account_name = talloc_asprintf(tmp_mem, "%s$", netbios_name);
+ account_name = talloc_asprintf(tmp_mem, "%s$", netbios_name);
if (!account_name) {
r->out.error_string = NULL;
talloc_free(tmp_mem);
* Local secrets are stored in secrets.ldb
* open it to make sure we can write the info into it after the join
*/
- ldb = secrets_db_connect(tmp_mem);
+ ldb = secrets_db_connect(tmp_mem);
if (!ldb) {
r->out.error_string
= talloc_asprintf(mem_ctx,
struct ldb_context *winsdb_connect(TALLOC_CTX *mem_ctx)
{
- return ldb_wrap_connect(mem_ctx, lp_wins_url(), 0, NULL);
+ return ldb_wrap_connect(mem_ctx, lp_wins_url(), system_session(mem_ctx),
+ NULL, 0, NULL);
}
*/
static struct ldb_context *sptr_db_connect(TALLOC_CTX *mem_ctx)
{
- return ldb_wrap_connect(mem_ctx, lp_spoolss_url(), 0, NULL);
+ return ldb_wrap_connect(mem_ctx, lp_spoolss_url(), system_session(mem_ctx),
+ NULL, 0, NULL);
}
static int sptr_db_search(struct ldb_context *ldb,
}
existed = file_exists(path);
-
- ldb = ldb_wrap_connect(mem_ctx, path, 0, NULL);
+
+ /* Secrets.ldb *must* always be local. If we call for a
+ * system_session() we will recurse */
+ ldb = ldb_wrap_connect(mem_ctx, path, NULL, NULL, 0, NULL);
talloc_free(path);
if (!ldb) {
return NULL;
#include "auth/auth.h"
#include "scripting/ejs/smbcalls.h"
-static int ejs_doauth(TALLOC_CTX *tmp_ctx, struct MprVar *auth, const char *username,
+static int ejs_doauth(MprVarHandle eid,
+ TALLOC_CTX *tmp_ctx, struct MprVar *auth, const char *username,
const char *password, const char *domain, const char *remote_host,
const char *authtype)
{
struct auth_usersupplied_info *user_info = NULL;
struct auth_serversupplied_info *server_info = NULL;
+ struct auth_session_info *session_info = NULL;
struct auth_context *auth_context;
const char *auth_types[] = { authtype, NULL };
NTSTATUS nt_status;
nt_status = auth_check_password(auth_context, tmp_ctx, user_info, &server_info);
if (!NT_STATUS_IS_OK(nt_status)) {
- mprSetPropertyValue(auth, "result", mprCreateBoolVar(False));
mprSetPropertyValue(auth, "report", mprString("Login Failed"));
+ mprSetPropertyValue(auth, "result", mprCreateBoolVar(False));
+ goto done;
+ }
+
+ nt_status = auth_generate_session_info(tmp_ctx, server_info, &session_info);
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ mprSetPropertyValue(auth, "report", mprString("Session Info generation failed"));
+ mprSetPropertyValue(auth, "result", mprCreateBoolVar(False));
goto done;
}
+ talloc_steal(mprMemCtx(), session_info);
+ mprSetThisPtr(eid, "session_info", session_info);
+
mprSetPropertyValue(auth, "result", mprCreateBoolVar(server_info->authenticated));
mprSetPropertyValue(auth, "username", mprString(server_info->account_name));
mprSetPropertyValue(auth, "domain", mprString(server_info->domain_name));
auth = mprObject("auth");
if (domain && (strcmp("System User", domain) == 0)) {
- ejs_doauth(tmp_ctx, &auth, username, password, domain, remote_host, "unix");
+ ejs_doauth(eid, tmp_ctx, &auth, username, password, domain, remote_host, "unix");
} else {
- ejs_doauth(tmp_ctx, &auth, username, password, domain, remote_host, "sam");
+ ejs_doauth(eid, tmp_ctx, &auth, username, password, domain, remote_host, "sam");
}
mpr_Return(eid, auth);
usage:
ok = ldb.connect(dbfile);
ok = ldb.connect(dbfile, "modules:modlist");
+
+ ldb.credentials or ldb.session_info may be setup first
+
*/
static int ejs_ldbConnect(MprVarHandle eid, int argc, char **argv)
{
struct ldb_context *ldb;
+ struct auth_session_info *session_info;
+ struct cli_credentials *creds;
+
const char *dbfile;
if (argc < 1) {
return -1;
}
+ session_info = mprGetThisPtr(eid, "session_info");
+
+ creds = mprGetThisPtr(eid, "credentials");
+
dbfile = argv[0];
- ldb = ldb_wrap_connect(mprMemCtx(), dbfile, 0, (const char **)(argv+1));
+ ldb = ldb_wrap_connect(mprMemCtx(), dbfile,
+ session_info, creds,
+ 0, (const char **)(argv+1));
if (ldb == NULL) {
ejsSetErrorMsg(eid, "ldb.connect failed to open %s", dbfile);
}
setup_file("provision.smb.conf", paths.smbconf, subobj);
lp.reload();
}
+ message("Setting up secrets.ldb\n");
+ setup_ldb("secrets.ldif", paths.secrets, subobj);
+ message("Setting up DNS zone file\n");
+ setup_file("provision.zone",
+ paths.dns,
+ subobj);
+ message("Setting up keytabs\n");
+ var keytab_ok = credentials_update_all_keytabs();
+ assert(keytab_ok);
message("Setting up hklm.ldb\n");
setup_ldb("hklm.ldif", paths.hklm, subobj);
message("Setting up sam.ldb attributes\n");
message("Setting up sam.ldb users and groups\n");
setup_ldb("provision_users.ldif", paths.samdb, subobj, data, false);
}
- message("Setting up secrets.ldb\n");
- setup_ldb("secrets.ldif", paths.secrets, subobj);
- message("Setting up DNS zone file\n");
- setup_file("provision.zone",
- paths.dns,
- subobj);
- message("Setting up keytabs\n");
- var keytab_ok = credentials_update_all_keytabs();
- assert(keytab_ok);
}
/*