svn commit: samba r24792 - in branches/SAMBA_3_2_0/source/utils: .

Wed, 29 Aug 2007 13:53:41 -0700 

Author: mimir
Date: 2007-08-29 20:53:09 +0000 (Wed, 29 Aug 2007)
New Revision: 24792

WebSVN: 
http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=24792

Log:
Merge from 3_2:

Add machine-authenticated connections to netlogon pipe of win2k and newer
(which may have anonymous connections restricted) and leave anonymous
for winnt domain.


rafal


Modified:
   branches/SAMBA_3_2_0/source/utils/net.c
   branches/SAMBA_3_2_0/source/utils/net_ads.c
   branches/SAMBA_3_2_0/source/utils/net_rpc_join.c


Changeset:
Modified: branches/SAMBA_3_2_0/source/utils/net.c
===================================================================
--- branches/SAMBA_3_2_0/source/utils/net.c     2007-08-29 20:49:09 UTC (rev 
24791)
+++ branches/SAMBA_3_2_0/source/utils/net.c     2007-08-29 20:53:09 UTC (rev 
24792)
@@ -341,10 +341,10 @@
 }
 
 /****************************************************************************
- Use the local machine's password for this session.
+ Use the local machine account (upn) and password for this session.
 ****************************************************************************/
 
-int net_use_machine_password(void) 
+int net_use_upn_machine_account(void) 
 {
        char *user_name = NULL;
 
@@ -353,7 +353,6 @@
                exit(1);
        }
 
-       user_name = NULL;
        opt_password = secrets_fetch_machine_password(opt_target_workgroup, 
NULL, NULL);
        if (asprintf(&user_name, "[EMAIL PROTECTED]", global_myname(), 
lp_realm()) == -1) {
                return -1;
@@ -362,6 +361,27 @@
        return 0;
 }
 
+/****************************************************************************
+ Use the machine account name and password for this session.
+****************************************************************************/
+
+int net_use_machine_account(void)
+{
+       char *user_name = NULL;
+               
+       if (!secrets_init()) {
+               d_fprintf(stderr, "ERROR: Unable to open secrets database\n");
+               exit(1);
+       }
+
+       opt_password = secrets_fetch_machine_password(opt_target_workgroup, 
NULL, NULL);
+       if (asprintf(&user_name, "%s$", global_myname()) == -1) {
+               return -1;
+       }
+       opt_user_name = user_name;
+       return 0;
+}
+
 BOOL net_find_server(const char *domain, unsigned flags, struct in_addr 
*server_ip, char **server_name)
 {
        const char *d = domain ? domain : opt_target_workgroup;
@@ -1044,7 +1064,7 @@
                /* it is very useful to be able to make ads queries as the
                   machine account for testing purposes and for domain leave */
 
-               net_use_machine_password();
+               net_use_upn_machine_account();
        }
 
        if (!opt_password) {

Modified: branches/SAMBA_3_2_0/source/utils/net_ads.c
===================================================================
--- branches/SAMBA_3_2_0/source/utils/net_ads.c 2007-08-29 20:49:09 UTC (rev 
24791)
+++ branches/SAMBA_3_2_0/source/utils/net_ads.c 2007-08-29 20:53:09 UTC (rev 
24792)
@@ -882,7 +882,7 @@
                return NT_STATUS_ACCESS_DENIED;
        }
 
-       net_use_machine_password();
+       net_use_upn_machine_account();
 
        status = ads_startup(True, &ads);
        if (!ADS_ERR_OK(status)) {
@@ -2187,7 +2187,7 @@
                return -1;
        }
 
-       net_use_machine_password();
+       net_use_upn_machine_account();
 
        use_in_memory_ccache();
 

Modified: branches/SAMBA_3_2_0/source/utils/net_rpc_join.c
===================================================================
--- branches/SAMBA_3_2_0/source/utils/net_rpc_join.c    2007-08-29 20:49:09 UTC 
(rev 24791)
+++ branches/SAMBA_3_2_0/source/utils/net_rpc_join.c    2007-08-29 20:53:09 UTC 
(rev 24792)
@@ -42,14 +42,29 @@
  **/
 int net_rpc_join_ok(const char *domain, const char *server, struct in_addr *ip 
)
 {
+       enum security_types sec;
+       unsigned int conn_flags = NET_FLAGS_PDC;
        uint32 neg_flags = NETLOGON_NEG_AUTH2_FLAGS|NETLOGON_NEG_SCHANNEL;
        struct cli_state *cli = NULL;
        struct rpc_pipe_client *pipe_hnd = NULL;
        struct rpc_pipe_client *netlogon_pipe = NULL;
        NTSTATUS ntret = NT_STATUS_UNSUCCESSFUL;
 
+       sec = (enum security_types)lp_security();
+
+       if (sec == SEC_ADS) {
+               /* Connect to IPC$ using machine account's credentials. We 
don't use anonymous
+                  connection here, as it may be denied by server's local 
policy. */
+               net_use_machine_account();
+
+       } else {
+               /* some servers (e.g. WinNT) don't accept machine-authenticated
+                  smb connections */
+               conn_flags |= NET_FLAGS_ANONYMOUS;
+       }
+
        /* Connect to remote machine */
-       if (!(cli = net_make_ipc_connection_ex(domain, server, ip, 
(NET_FLAGS_ANONYMOUS|NET_FLAGS_PDC)))) {
+       if (!(cli = net_make_ipc_connection_ex(domain, server, ip, 
conn_flags))) {
                return -1;
        }

Reply via email to