_PUBLIC_ void cli_credentials_parse_string(struct cli_credentials *credentials, const char *data, enum credentials_obtained obtained)
{
char *uname, *p;
if (strcmp("%",data) == 0) {
cli_credentials_set_anonymous(credentials);
return;
}
uname = talloc_strdup(credentials, data);
if ((p = strchr_m(uname,'%'))) {
*p = 0;
cli_credentials_set_password(credentials, p+1, obtained);
}
if ((p = strchr_m(uname,'@'))) {
cli_credentials_set_principal(credentials, uname, obtained);
*p = 0;
cli_credentials_set_realm(credentials, p+1, obtained);
return;
} else if ((p = strchr_m(uname,'\\')) || (p = strchr_m(uname, '/'))) {
*p = 0;
cli_credentials_set_domain(credentials, uname, obtained);
uname = p+1;
}
cli_credentials_set_username(credentials, uname, obtained);
}
/**
* Fill in a credentials structure as the anonymous user
*/
_PUBLIC_ void cli_credentials_set_anonymous(struct cli_credentials *cred)
{
cli_credentials_set_username(cred, "", CRED_SPECIFIED);
cli_credentials_set_domain(cred, "", CRED_SPECIFIED);
cli_credentials_set_password(cred, NULL, CRED_SPECIFIED);
cli_credentials_set_realm(cred, NULL, CRED_SPECIFIED);
cli_credentials_set_workstation(cred, "", CRED_UNINITIALISED);
cli_credentials_set_kerberos_state(cred, CRED_DONT_USE_KERBEROS);
}
/**
* Specifies default values for domain, workstation and realm
* from the smb.conf configuration file
*
* @param cred Credentials structure to fill in
*/
_PUBLIC_ void cli_credentials_set_conf(struct cli_credentials *cred,
struct loadparm_context *lp_ctx)
{
cli_credentials_set_username(cred, "", CRED_UNINITIALISED);
if (lpcfg_parm_is_cmdline(lp_ctx, "workgroup")) {
cli_credentials_set_domain(cred, lpcfg_workgroup(lp_ctx), CRED_SPECIFIED);
} else {
cli_credentials_set_domain(cred, lpcfg_workgroup(lp_ctx), CRED_UNINITIALISED);
}
if (lpcfg_parm_is_cmdline(lp_ctx, "netbios name")) {
cli_credentials_set_workstation(cred, lpcfg_netbios_name(lp_ctx), CRED_SPECIFIED);
} else {
cli_credentials_set_workstation(cred, lpcfg_netbios_name(lp_ctx), CRED_UNINITIALISED);
}
if (lpcfg_parm_is_cmdline(lp_ctx, "realm")) {
cli_credentials_set_realm(cred, lpcfg_realm(lp_ctx), CRED_SPECIFIED);
} else {
cli_credentials_set_realm(cred, lpcfg_realm(lp_ctx), CRED_UNINITIALISED);
}
}
static PyObject *py_creds_set_realm(PyObject *self, PyObject *args)
{
char *newval;
enum credentials_obtained obt = CRED_SPECIFIED;
int _obt = obt;
if (!PyArg_ParseTuple(args, "s|i", &newval, &_obt)) {
return NULL;
}
obt = _obt;
return PyBool_FromLong(cli_credentials_set_realm(PyCredentials_AsCliCredentials(self), newval, obt));
}
BOOL cli_credentials_parse_file(struct cli_credentials *cred, const char *file, enum credentials_obtained obtained)
{
uint16_t len = 0;
char *ptr, *val, *param;
char **lines;
int i, numlines;
lines = file_lines_load(file, &numlines, NULL);
if (lines == NULL)
{
/* fail if we can't open the credentials file */
d_printf("ERROR: Unable to open credentials file!\n");
return False;
}
for (i = 0; i < numlines; i++) {
len = strlen(lines[i]);
if (len == 0)
continue;
/* break up the line into parameter & value.
* will need to eat a little whitespace possibly */
param = lines[i];
if (!(ptr = strchr_m (lines[i], '=')))
continue;
val = ptr+1;
*ptr = '\0';
/* eat leading white space */
while ((*val!='\0') && ((*val==' ') || (*val=='\t')))
val++;
if (strwicmp("password", param) == 0) {
cli_credentials_set_password(cred, val, obtained);
} else if (strwicmp("username", param) == 0) {
cli_credentials_set_username(cred, val, obtained);
} else if (strwicmp("domain", param) == 0) {
cli_credentials_set_domain(cred, val, obtained);
} else if (strwicmp("realm", param) == 0) {
cli_credentials_set_realm(cred, val, obtained);
}
memset(lines[i], 0, len);
}
talloc_free(lines);
return True;
}
/**
* Fill in credentials for the machine trust account, from the secrets database.
*
* @param cred Credentials structure to fill in
* @retval NTSTATUS error detailing any failure
*/
NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred,
const char *base,
const char *filter)
{
TALLOC_CTX *mem_ctx;
struct ldb_context *ldb;
int ldb_ret;
struct ldb_message **msgs;
const char *attrs[] = {
"secret",
"priorSecret",
"samAccountName",
"flatname",
"realm",
"secureChannelType",
"ntPwdHash",
"msDS-KeyVersionNumber",
"saltPrincipal",
"privateKeytab",
"krb5Keytab",
NULL
};
const char *machine_account;
const char *password;
const char *old_password;
const char *domain;
const char *realm;
enum netr_SchannelType sct;
const char *salt_principal;
const char *keytab;
/* ok, we are going to get it now, don't recurse back here */
cred->machine_account_pending = False;
/* some other parts of the system will key off this */
cred->machine_account = True;
mem_ctx = talloc_named(cred, 0, "cli_credentials fetch machine password");
/* Local secrets are stored in secrets.ldb */
ldb = secrets_db_connect(mem_ctx);
if (!ldb) {
/* set anonymous as the fallback, if the machine account won't work */
cli_credentials_set_anonymous(cred);
DEBUG(1, ("Could not open secrets.ldb\n"));
return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
}
/* search for the secret record */
ldb_ret = gendb_search(ldb,
mem_ctx, ldb_dn_new(mem_ctx, ldb, base),
&msgs, attrs,
"%s", filter);
if (ldb_ret == 0) {
DEBUG(1, ("Could not find entry to match filter: %s\n",
filter));
/* set anonymous as the fallback, if the machine account won't work */
cli_credentials_set_anonymous(cred);
talloc_free(mem_ctx);
return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
} else if (ldb_ret != 1) {
DEBUG(1, ("Found more than one (%d) entry to match filter: %s\n",
ldb_ret, filter));
/* set anonymous as the fallback, if the machine account won't work */
cli_credentials_set_anonymous(cred);
talloc_free(mem_ctx);
return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
}
password = ldb_msg_find_attr_as_string(msgs[0], "secret", NULL);
old_password = ldb_msg_find_attr_as_string(msgs[0], "priorSecret", NULL);
machine_account = ldb_msg_find_attr_as_string(msgs[0], "samAccountName", NULL);
if (!machine_account) {
DEBUG(1, ("Could not find 'samAccountName' in join record to domain: %s\n",
cli_credentials_get_domain(cred)));
/* set anonymous as the fallback, if the machine account won't work */
cli_credentials_set_anonymous(cred);
talloc_free(mem_ctx);
return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
}
salt_principal = ldb_msg_find_attr_as_string(msgs[0], "saltPrincipal", NULL);
cli_credentials_set_salt_principal(cred, salt_principal);
sct = ldb_msg_find_attr_as_int(msgs[0], "secureChannelType", 0);
if (sct) {
cli_credentials_set_secure_channel_type(cred, sct);
}
if (!password) {
const struct ldb_val *nt_password_hash = ldb_msg_find_ldb_val(msgs[0], "ntPwdHash");
struct samr_Password hash;
ZERO_STRUCT(hash);
if (nt_password_hash) {
memcpy(hash.hash, nt_password_hash->data,
MIN(nt_password_hash->length, sizeof(hash.hash)));
cli_credentials_set_nt_hash(cred, &hash, CRED_SPECIFIED);
} else {
cli_credentials_set_password(cred, NULL, CRED_SPECIFIED);
}
} else {
cli_credentials_set_password(cred, password, CRED_SPECIFIED);
}
domain = ldb_msg_find_attr_as_string(msgs[0], "flatname", NULL);
if (domain) {
cli_credentials_set_domain(cred, domain, CRED_SPECIFIED);
}
realm = ldb_msg_find_attr_as_string(msgs[0], "realm", NULL);
if (realm) {
cli_credentials_set_realm(cred, realm, CRED_SPECIFIED);
}
cli_credentials_set_username(cred, machine_account, CRED_SPECIFIED);
cli_credentials_set_kvno(cred, ldb_msg_find_attr_as_int(msgs[0], "msDS-KeyVersionNumber", 0));
/* If there was an external keytab specified by reference in
* the LDB, then use this. Otherwise we will make one up
* (chewing CPU time) from the password */
keytab = ldb_msg_find_attr_as_string(msgs[0], "krb5Keytab", NULL);
if (keytab) {
cli_credentials_set_keytab_name(cred, keytab, CRED_SPECIFIED);
} else {
keytab = ldb_msg_find_attr_as_string(msgs[0], "privateKeytab", NULL);
if (keytab) {
keytab = talloc_asprintf(mem_ctx, "FILE:%s", private_path(mem_ctx, keytab));
if (keytab) {
cli_credentials_set_keytab_name(cred, keytab, CRED_SPECIFIED);
}
}
}
talloc_free(mem_ctx);
return NT_STATUS_OK;
}
_PUBLIC_ struct test_join *torture_join_domain(struct torture_context *tctx,
const char *machine_name,
uint32_t acct_flags,
struct cli_credentials **machine_credentials)
{
NTSTATUS status;
struct libnet_context *libnet_ctx;
struct libnet_JoinDomain *libnet_r;
struct test_join *tj;
struct samr_SetUserInfo s;
union samr_UserInfo u;
tj = talloc(tctx, struct test_join);
if (!tj) return NULL;
libnet_r = talloc(tj, struct libnet_JoinDomain);
if (!libnet_r) {
talloc_free(tj);
return NULL;
}
libnet_ctx = libnet_context_init(tctx->ev, tctx->lp_ctx);
if (!libnet_ctx) {
talloc_free(tj);
return NULL;
}
tj->libnet_r = libnet_r;
libnet_ctx->cred = cmdline_credentials;
libnet_r->in.binding = torture_setting_string(tctx, "binding", NULL);
if (!libnet_r->in.binding) {
libnet_r->in.binding = talloc_asprintf(libnet_r, "ncacn_np:%s", torture_setting_string(tctx, "host", NULL));
}
libnet_r->in.level = LIBNET_JOINDOMAIN_SPECIFIED;
libnet_r->in.netbios_name = machine_name;
libnet_r->in.account_name = talloc_asprintf(libnet_r, "%s$", machine_name);
if (!libnet_r->in.account_name) {
talloc_free(tj);
return NULL;
}
libnet_r->in.acct_type = acct_flags;
libnet_r->in.recreate_account = true;
status = libnet_JoinDomain(libnet_ctx, libnet_r, libnet_r);
if (!NT_STATUS_IS_OK(status)) {
if (libnet_r->out.error_string) {
DEBUG(0, ("Domain join failed - %s\n", libnet_r->out.error_string));
} else {
DEBUG(0, ("Domain join failed - %s\n", nt_errstr(status)));
}
talloc_free(tj);
return NULL;
}
tj->p = libnet_r->out.samr_pipe;
tj->user_handle = *libnet_r->out.user_handle;
tj->dom_sid = libnet_r->out.domain_sid;
talloc_steal(tj, libnet_r->out.domain_sid);
tj->dom_netbios_name = libnet_r->out.domain_name;
talloc_steal(tj, libnet_r->out.domain_name);
tj->dom_dns_name = libnet_r->out.realm;
talloc_steal(tj, libnet_r->out.realm);
tj->user_guid = libnet_r->out.account_guid;
tj->netbios_name = talloc_strdup(tj, machine_name);
if (!tj->netbios_name) {
talloc_free(tj);
return NULL;
}
ZERO_STRUCT(u);
s.in.user_handle = &tj->user_handle;
s.in.info = &u;
s.in.level = 21;
u.info21.fields_present = SAMR_FIELD_DESCRIPTION | SAMR_FIELD_COMMENT | SAMR_FIELD_FULL_NAME;
u.info21.comment.string = talloc_asprintf(tj,
"Tortured by Samba4: %s",
timestring(tj, time(NULL)));
u.info21.full_name.string = talloc_asprintf(tj,
"Torture account for Samba4: %s",
timestring(tj, time(NULL)));
u.info21.description.string = talloc_asprintf(tj,
"Samba4 torture account created by host %s: %s",
lp_netbios_name(tctx->lp_ctx), timestring(tj, time(NULL)));
status = dcerpc_samr_SetUserInfo(tj->p, tj, &s);
if (!NT_STATUS_IS_OK(status)) {
printf("SetUserInfo (non-critical) failed - %s\n", nt_errstr(status));
}
*machine_credentials = cli_credentials_init(tj);
cli_credentials_set_conf(*machine_credentials, tctx->lp_ctx);
cli_credentials_set_workstation(*machine_credentials, machine_name, CRED_SPECIFIED);
cli_credentials_set_domain(*machine_credentials, libnet_r->out.domain_name, CRED_SPECIFIED);
if (libnet_r->out.realm) {
cli_credentials_set_realm(*machine_credentials, libnet_r->out.realm, CRED_SPECIFIED);
}
cli_credentials_set_username(*machine_credentials, libnet_r->in.account_name, CRED_SPECIFIED);
cli_credentials_set_password(*machine_credentials, libnet_r->out.join_password, CRED_SPECIFIED);
cli_credentials_set_kvno(*machine_credentials, libnet_r->out.kvno);
if (acct_flags & ACB_SVRTRUST) {
cli_credentials_set_secure_channel_type(*machine_credentials,
SEC_CHAN_BDC);
} else if (acct_flags & ACB_WSTRUST) {
cli_credentials_set_secure_channel_type(*machine_credentials,
SEC_CHAN_WKSTA);
} else {
DEBUG(0, ("Invalid account type specificed to torture_join_domain\n"));
talloc_free(*machine_credentials);
return NULL;
}
return tj;
}
/**
* Fill in credentials for the machine trust account, from the secrets database.
*
* @param cred Credentials structure to fill in
* @retval NTSTATUS error detailing any failure
*/
static NTSTATUS cli_credentials_set_secrets_lct(struct cli_credentials *cred,
struct loadparm_context *lp_ctx,
struct ldb_context *ldb,
const char *base,
const char *filter,
time_t secrets_tdb_last_change_time,
const char *secrets_tdb_password,
char **error_string)
{
TALLOC_CTX *mem_ctx;
int ldb_ret;
struct ldb_message *msg;
const char *machine_account;
const char *password;
const char *domain;
const char *realm;
enum netr_SchannelType sct;
const char *salt_principal;
char *keytab;
const struct ldb_val *whenChanged;
time_t lct;
/* ok, we are going to get it now, don't recurse back here */
cred->machine_account_pending = false;
/* some other parts of the system will key off this */
cred->machine_account = true;
mem_ctx = talloc_named(cred, 0, "cli_credentials_set_secrets from ldb");
if (!ldb) {
/* Local secrets are stored in secrets.ldb */
ldb = secrets_db_connect(mem_ctx, lp_ctx);
if (!ldb) {
*error_string = talloc_strdup(cred, "Could not open secrets.ldb");
talloc_free(mem_ctx);
return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
}
}
ldb_ret = dsdb_search_one(ldb, mem_ctx, &msg,
ldb_dn_new(mem_ctx, ldb, base),
LDB_SCOPE_SUBTREE,
NULL, 0, "%s", filter);
if (ldb_ret != LDB_SUCCESS) {
*error_string = talloc_asprintf(cred, "Could not find entry to match filter: '%s' base: '%s': %s: %s",
filter, base ? base : "",
ldb_strerror(ldb_ret), ldb_errstring(ldb));
talloc_free(mem_ctx);
return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
}
password = ldb_msg_find_attr_as_string(msg, "secret", NULL);
whenChanged = ldb_msg_find_ldb_val(msg, "whenChanged");
if (!whenChanged || ldb_val_to_time(whenChanged, &lct) != LDB_SUCCESS) {
/* This attribute is mandetory */
talloc_free(mem_ctx);
return NT_STATUS_NOT_FOUND;
}
/* Don't set secrets.ldb info if the secrets.tdb entry was more recent */
if (lct < secrets_tdb_last_change_time) {
talloc_free(mem_ctx);
return NT_STATUS_NOT_FOUND;
}
if (lct == secrets_tdb_last_change_time && secrets_tdb_password && strcmp(password, secrets_tdb_password) != 0) {
talloc_free(mem_ctx);
return NT_STATUS_NOT_FOUND;
}
cli_credentials_set_password_last_changed_time(cred, lct);
machine_account = ldb_msg_find_attr_as_string(msg, "samAccountName", NULL);
if (!machine_account) {
machine_account = ldb_msg_find_attr_as_string(msg, "servicePrincipalName", NULL);
if (!machine_account) {
const char *ldap_bind_dn = ldb_msg_find_attr_as_string(msg, "ldapBindDn", NULL);
if (!ldap_bind_dn) {
*error_string = talloc_asprintf(cred,
"Could not find 'samAccountName', "
"'servicePrincipalName' or "
"'ldapBindDn' in secrets record: %s",
ldb_dn_get_linearized(msg->dn));
talloc_free(mem_ctx);
return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
} else {
/* store bind dn in credentials */
cli_credentials_set_bind_dn(cred, ldap_bind_dn);
}
}
}
salt_principal = ldb_msg_find_attr_as_string(msg, "saltPrincipal", NULL);
cli_credentials_set_salt_principal(cred, salt_principal);
sct = ldb_msg_find_attr_as_int(msg, "secureChannelType", 0);
if (sct) {
cli_credentials_set_secure_channel_type(cred, sct);
}
if (!password) {
const struct ldb_val *nt_password_hash = ldb_msg_find_ldb_val(msg, "unicodePwd");
struct samr_Password hash;
ZERO_STRUCT(hash);
if (nt_password_hash) {
memcpy(hash.hash, nt_password_hash->data,
MIN(nt_password_hash->length, sizeof(hash.hash)));
cli_credentials_set_nt_hash(cred, &hash, CRED_SPECIFIED);
} else {
cli_credentials_set_password(cred, NULL, CRED_SPECIFIED);
}
} else {
cli_credentials_set_password(cred, password, CRED_SPECIFIED);
}
domain = ldb_msg_find_attr_as_string(msg, "flatname", NULL);
if (domain) {
cli_credentials_set_domain(cred, domain, CRED_SPECIFIED);
}
realm = ldb_msg_find_attr_as_string(msg, "realm", NULL);
if (realm) {
cli_credentials_set_realm(cred, realm, CRED_SPECIFIED);
}
if (machine_account) {
cli_credentials_set_username(cred, machine_account, CRED_SPECIFIED);
}
cli_credentials_set_kvno(cred, ldb_msg_find_attr_as_int(msg, "msDS-KeyVersionNumber", 0));
/* If there was an external keytab specified by reference in
* the LDB, then use this. Otherwise we will make one up
* (chewing CPU time) from the password */
keytab = keytab_name_from_msg(cred, ldb, msg);
if (keytab) {
cli_credentials_set_keytab_name(cred, lp_ctx, keytab, CRED_SPECIFIED);
talloc_free(keytab);
}
talloc_free(mem_ctx);
return NT_STATUS_OK;
}
/**
* Fill in credentials for the machine trust account, from the
* secrets.ldb or passed in handle to secrets.tdb (perhaps in CTDB).
*
* This version is used in parts of the code that can link in the
* CTDB dbwrap backend, by passing down the already open handle.
*
* @param cred Credentials structure to fill in
* @param db_ctx dbwrap context for secrets.tdb
* @retval NTSTATUS error detailing any failure
*/
_PUBLIC_ NTSTATUS cli_credentials_set_machine_account_db_ctx(struct cli_credentials *cred,
struct loadparm_context *lp_ctx,
struct db_context *db_ctx)
{
NTSTATUS status;
char *filter;
char *error_string = NULL;
const char *domain;
bool secrets_tdb_password_more_recent;
time_t secrets_tdb_lct = 0;
char *secrets_tdb_password = NULL;
char *secrets_tdb_old_password = NULL;
uint32_t secrets_tdb_secure_channel_type = SEC_CHAN_NULL;
char *keystr;
char *keystr_upper = NULL;
TALLOC_CTX *tmp_ctx = talloc_named(cred, 0, "cli_credentials_set_secrets from ldb");
if (!tmp_ctx) {
return NT_STATUS_NO_MEMORY;
}
/* Bleh, nasty recursion issues: We are setting a machine
* account here, so we don't want the 'pending' flag around
* any more */
cred->machine_account_pending = false;
/* We have to do this, as the fallback in
* cli_credentials_set_secrets is to run as anonymous, so the domain is wiped */
domain = cli_credentials_get_domain(cred);
if (db_ctx) {
TDB_DATA dbuf;
keystr = talloc_asprintf(tmp_ctx, "%s/%s",
SECRETS_MACHINE_LAST_CHANGE_TIME,
domain);
keystr_upper = strupper_talloc(tmp_ctx, keystr);
status = dbwrap_fetch(db_ctx, tmp_ctx, string_tdb_data(keystr_upper),
&dbuf);
if (NT_STATUS_IS_OK(status) && dbuf.dsize == 4) {
secrets_tdb_lct = IVAL(dbuf.dptr,0);
}
keystr = talloc_asprintf(tmp_ctx, "%s/%s",
SECRETS_MACHINE_PASSWORD,
domain);
keystr_upper = strupper_talloc(tmp_ctx, keystr);
status = dbwrap_fetch(db_ctx, tmp_ctx, string_tdb_data(keystr_upper),
&dbuf);
if (NT_STATUS_IS_OK(status)) {
secrets_tdb_password = (char *)dbuf.dptr;
}
keystr = talloc_asprintf(tmp_ctx, "%s/%s",
SECRETS_MACHINE_PASSWORD_PREV,
domain);
keystr_upper = strupper_talloc(tmp_ctx, keystr);
status = dbwrap_fetch(db_ctx, tmp_ctx, string_tdb_data(keystr_upper),
&dbuf);
if (NT_STATUS_IS_OK(status)) {
secrets_tdb_old_password = (char *)dbuf.dptr;
}
keystr = talloc_asprintf(tmp_ctx, "%s/%s",
SECRETS_MACHINE_SEC_CHANNEL_TYPE,
domain);
keystr_upper = strupper_talloc(tmp_ctx, keystr);
status = dbwrap_fetch(db_ctx, tmp_ctx, string_tdb_data(keystr_upper),
&dbuf);
if (NT_STATUS_IS_OK(status) && dbuf.dsize == 4) {
secrets_tdb_secure_channel_type = IVAL(dbuf.dptr,0);
}
}
filter = talloc_asprintf(cred, SECRETS_PRIMARY_DOMAIN_FILTER,
domain);
status = cli_credentials_set_secrets_lct(cred, lp_ctx, NULL,
SECRETS_PRIMARY_DOMAIN_DN,
filter, secrets_tdb_lct, secrets_tdb_password, &error_string);
if (secrets_tdb_password == NULL) {
secrets_tdb_password_more_recent = false;
} else if (NT_STATUS_EQUAL(NT_STATUS_CANT_ACCESS_DOMAIN_INFO, status)
|| NT_STATUS_EQUAL(NT_STATUS_NOT_FOUND, status)) {
secrets_tdb_password_more_recent = true;
} else if (secrets_tdb_lct > cli_credentials_get_password_last_changed_time(cred)) {
secrets_tdb_password_more_recent = true;
} else if (secrets_tdb_lct == cli_credentials_get_password_last_changed_time(cred)) {
secrets_tdb_password_more_recent = strcmp(secrets_tdb_password, cli_credentials_get_password(cred)) != 0;
} else {
secrets_tdb_password_more_recent = false;
}
if (secrets_tdb_password_more_recent) {
char *machine_account = talloc_asprintf(tmp_ctx, "%s$", lpcfg_netbios_name(lp_ctx));
cli_credentials_set_password(cred, secrets_tdb_password, CRED_SPECIFIED);
cli_credentials_set_old_password(cred, secrets_tdb_old_password, CRED_SPECIFIED);
cli_credentials_set_domain(cred, domain, CRED_SPECIFIED);
if (strequal(domain, lpcfg_workgroup(lp_ctx))) {
cli_credentials_set_realm(cred, lpcfg_realm(lp_ctx), CRED_SPECIFIED);
}
cli_credentials_set_username(cred, machine_account, CRED_SPECIFIED);
cli_credentials_set_password_last_changed_time(cred, secrets_tdb_lct);
cli_credentials_set_secure_channel_type(cred, secrets_tdb_secure_channel_type);
status = NT_STATUS_OK;
} else if (!NT_STATUS_IS_OK(status)) {
if (db_ctx) {
error_string
= talloc_asprintf(cred,
"Failed to fetch machine account password for %s from both "
"secrets.ldb (%s) and from %s",
domain,
error_string == NULL ? "error" : error_string,
dbwrap_name(db_ctx));
} else {
char *secrets_tdb_path;
secrets_tdb_path = lpcfg_private_db_path(tmp_ctx,
lp_ctx,
"secrets");
if (secrets_tdb_path == NULL) {
return NT_STATUS_NO_MEMORY;
}
error_string = talloc_asprintf(cred,
"Failed to fetch machine account password from "
"secrets.ldb: %s and failed to open %s",
error_string == NULL ? "error" : error_string,
secrets_tdb_path);
}
DEBUG(1, ("Could not find machine account in secrets database: %s: %s\n",
error_string == NULL ? "error" : error_string,
nt_errstr(status)));
/* set anonymous as the fallback, if the machine account won't work */
cli_credentials_set_anonymous(cred);
}
TALLOC_FREE(tmp_ctx);
return status;
}