/** * Fill in credentials for the machine trust account, from the secrets database. * * @param cred Credentials structure to fill in * @retval NTSTATUS error detailing any failure */ NTSTATUS cli_credentials_set_machine_account(struct cli_credentials *cred) { char *filter; /* Bleh, nasty recursion issues: We are setting a machine * account here, so we don't want the 'pending' flag around * any more */ cred->machine_account_pending = False; filter = talloc_asprintf(cred, SECRETS_PRIMARY_DOMAIN_FILTER, cli_credentials_get_domain(cred)); return cli_credentials_set_secrets(cred, SECRETS_PRIMARY_DOMAIN_DN, filter); }
/** * Fill in credentials for the machine trust account, from the secrets database. * * @param cred Credentials structure to fill in * @retval NTSTATUS error detailing any failure */ NTSTATUS cli_credentials_set_krbtgt(struct cli_credentials *cred) { char *filter; /* Bleh, nasty recursion issues: We are setting a machine * account here, so we don't want the 'pending' flag around * any more */ cred->machine_account_pending = False; filter = talloc_asprintf(cred, SECRETS_KRBTGT_SEARCH, cli_credentials_get_realm(cred), cli_credentials_get_domain(cred)); return cli_credentials_set_secrets(cred, SECRETS_PRINCIPALS_DN, filter); }
/** * Fill in credentials for the machine trust account, from the secrets database. * * @param cred Credentials structure to fill in * @retval NTSTATUS error detailing any failure */ _PUBLIC_ NTSTATUS cli_credentials_set_machine_account(struct cli_credentials *cred, struct loadparm_context *lp_ctx) { NTSTATUS status; char *filter; /* Bleh, nasty recursion issues: We are setting a machine * account here, so we don't want the 'pending' flag around * any more */ cred->machine_account_pending = false; filter = talloc_asprintf(cred, SECRETS_PRIMARY_DOMAIN_FILTER, cli_credentials_get_domain(cred)); status = cli_credentials_set_secrets(cred, event_context_find(cred), lp_ctx, NULL, SECRETS_PRIMARY_DOMAIN_DN, filter); if (!NT_STATUS_IS_OK(status)) { DEBUG(1, ("Could not find machine account in secrets database: %s", nt_errstr(status))); } return status; }
/** * Fill in credentials for the machine trust account, from the secrets database. * * @param cred Credentials structure to fill in * @retval NTSTATUS error detailing any failure */ NTSTATUS cli_credentials_set_krbtgt(struct cli_credentials *cred, struct tevent_context *event_ctx, struct loadparm_context *lp_ctx) { NTSTATUS status; char *filter; /* Bleh, nasty recursion issues: We are setting a machine * account here, so we don't want the 'pending' flag around * any more */ cred->machine_account_pending = false; filter = talloc_asprintf(cred, SECRETS_KRBTGT_SEARCH, cli_credentials_get_realm(cred), cli_credentials_get_domain(cred)); status = cli_credentials_set_secrets(cred, event_ctx, lp_ctx, NULL, SECRETS_PRINCIPALS_DN, filter); if (!NT_STATUS_IS_OK(status)) { DEBUG(1, ("Could not find krbtgt (master Kerberos) account in secrets database: %s", nt_errstr(status))); } return status; }
NTSTATUS cli_credentials_update_all_keytabs(TALLOC_CTX *parent_ctx) { TALLOC_CTX *mem_ctx; int ldb_ret; struct ldb_context *ldb; struct ldb_message **msgs; const char *attrs[] = { NULL }; struct cli_credentials *creds; const char *filter; NTSTATUS status; int i, ret; mem_ctx = talloc_new(parent_ctx); if (!mem_ctx) { return NT_STATUS_NO_MEMORY; } /* Local secrets are stored in secrets.ldb */ ldb = secrets_db_connect(mem_ctx); if (!ldb) { DEBUG(1, ("Could not open secrets.ldb\n")); talloc_free(mem_ctx); return NT_STATUS_ACCESS_DENIED; } /* search for the secret record, but only of things we can * actually update */ ldb_ret = gendb_search(ldb, mem_ctx, NULL, &msgs, attrs, "(&(objectClass=kerberosSecret)(|(secret=*)(ntPwdHash=*)))"); if (ldb_ret == -1) { DEBUG(1, ("Error looking for kerberos type secrets to push into a keytab:: %s", ldb_errstring(ldb))); talloc_free(mem_ctx); return NT_STATUS_INTERNAL_DB_CORRUPTION; } for (i=0; i < ldb_ret; i++) { /* Make a credentials structure from it */ creds = cli_credentials_init(mem_ctx); if (!creds) { DEBUG(1, ("cli_credentials_init failed!")); talloc_free(mem_ctx); return NT_STATUS_NO_MEMORY; } cli_credentials_set_conf(creds); filter = talloc_asprintf(mem_ctx, "dn=%s", ldb_dn_get_linearized(msgs[i]->dn)); status = cli_credentials_set_secrets(creds, NULL, filter); if (!NT_STATUS_IS_OK(status)) { DEBUG(1, ("Failed to read secrets for keytab update for %s\n", filter)); continue; } ret = cli_credentials_update_keytab(creds); if (ret != 0) { DEBUG(1, ("Failed to update keytab for %s\n", filter)); continue; } } return NT_STATUS_OK; }
static int set_ldap_credentials(struct ldb_context *ldb, bool use_external) { const char *secrets_ldb_path, *sam_ldb_path; char *private_dir, *p, *error_string; struct ldb_context *secrets_ldb; struct cli_credentials *cred; struct loadparm_context *lp_ctx = ldb_get_opaque(ldb, "loadparm"); TALLOC_CTX *tmp_ctx = talloc_new(ldb); if (!tmp_ctx) { return ldb_oom(ldb); } cred = cli_credentials_init(ldb); if (!cred) { talloc_free(tmp_ctx); return ldb_oom(ldb); } cli_credentials_set_anonymous(cred); if (use_external) { cli_credentials_set_forced_sasl_mech(cred, "EXTERNAL"); } else { cli_credentials_set_forced_sasl_mech(cred, "DIGEST-MD5"); /* * We don't want to use krb5 to talk to our samdb - recursion * here would be bad, and this account isn't in the KDC * anyway */ cli_credentials_set_kerberos_state(cred, CRED_DONT_USE_KERBEROS); /* * Work out where *our* secrets.ldb is. It must be in * the same directory as sam.ldb */ sam_ldb_path = (const char *)ldb_get_opaque(ldb, "ldb_url"); if (!sam_ldb_path) { talloc_free(tmp_ctx); return ldb_operr(ldb); } if (strncmp("tdb://", sam_ldb_path, 6) == 0) { sam_ldb_path += 6; } private_dir = talloc_strdup(tmp_ctx, sam_ldb_path); p = strrchr(private_dir, '/'); if (p) { *p = '\0'; } else { private_dir = talloc_strdup(tmp_ctx, "."); } secrets_ldb_path = talloc_asprintf(private_dir, "tdb://%s/secrets.ldb", private_dir); if (!secrets_ldb_path) { talloc_free(tmp_ctx); return ldb_oom(ldb); } /* * Now that we have found the location, connect to * secrets.ldb so we can read the SamDB Credentials * record */ secrets_ldb = ldb_wrap_connect(tmp_ctx, NULL, lp_ctx, secrets_ldb_path, NULL, NULL, 0); if (!NT_STATUS_IS_OK(cli_credentials_set_secrets(cred, NULL, secrets_ldb, NULL, SECRETS_LDAP_FILTER, &error_string))) { ldb_asprintf_errstring(ldb, "Failed to read LDAP backend password from %s", secrets_ldb_path); talloc_free(tmp_ctx); return LDB_ERR_STRONG_AUTH_REQUIRED; } } /* * Finally overwrite any supplied credentials with * these ones, as only secrets.ldb contains the magic * credentials to talk on the ldapi socket */ if (ldb_set_opaque(ldb, "credentials", cred)) { talloc_free(tmp_ctx); return ldb_operr(ldb); } talloc_free(tmp_ctx); return LDB_SUCCESS; }