/**
* Fill in credentials for the machine trust account, from the secrets database.
*
* @param cred Credentials structure to fill in
* @retval NTSTATUS error detailing any failure
*/
NTSTATUS cli_credentials_set_machine_account(struct cli_credentials *cred)
{
char *filter;
/* Bleh, nasty recursion issues: We are setting a machine
* account here, so we don't want the 'pending' flag around
* any more */
cred->machine_account_pending = False;
filter = talloc_asprintf(cred, SECRETS_PRIMARY_DOMAIN_FILTER,
cli_credentials_get_domain(cred));
return cli_credentials_set_secrets(cred, SECRETS_PRIMARY_DOMAIN_DN,
filter);
}
/**
* Fill in credentials for the machine trust account, from the secrets database.
*
* @param cred Credentials structure to fill in
* @retval NTSTATUS error detailing any failure
*/
NTSTATUS cli_credentials_set_krbtgt(struct cli_credentials *cred)
{
char *filter;
/* Bleh, nasty recursion issues: We are setting a machine
* account here, so we don't want the 'pending' flag around
* any more */
cred->machine_account_pending = False;
filter = talloc_asprintf(cred, SECRETS_KRBTGT_SEARCH,
cli_credentials_get_realm(cred),
cli_credentials_get_domain(cred));
return cli_credentials_set_secrets(cred, SECRETS_PRINCIPALS_DN,
filter);
}
/**
* Fill in credentials for the machine trust account, from the secrets database.
*
* @param cred Credentials structure to fill in
* @retval NTSTATUS error detailing any failure
*/
_PUBLIC_ NTSTATUS cli_credentials_set_machine_account(struct cli_credentials *cred,
struct loadparm_context *lp_ctx)
{
NTSTATUS status;
char *filter;
/* Bleh, nasty recursion issues: We are setting a machine
* account here, so we don't want the 'pending' flag around
* any more */
cred->machine_account_pending = false;
filter = talloc_asprintf(cred, SECRETS_PRIMARY_DOMAIN_FILTER,
cli_credentials_get_domain(cred));
status = cli_credentials_set_secrets(cred, event_context_find(cred), lp_ctx, NULL,
SECRETS_PRIMARY_DOMAIN_DN,
filter);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("Could not find machine account in secrets database: %s", nt_errstr(status)));
}
return status;
}
/**
* Fill in credentials for the machine trust account, from the secrets database.
*
* @param cred Credentials structure to fill in
* @retval NTSTATUS error detailing any failure
*/
NTSTATUS cli_credentials_set_krbtgt(struct cli_credentials *cred,
struct tevent_context *event_ctx,
struct loadparm_context *lp_ctx)
{
NTSTATUS status;
char *filter;
/* Bleh, nasty recursion issues: We are setting a machine
* account here, so we don't want the 'pending' flag around
* any more */
cred->machine_account_pending = false;
filter = talloc_asprintf(cred, SECRETS_KRBTGT_SEARCH,
cli_credentials_get_realm(cred),
cli_credentials_get_domain(cred));
status = cli_credentials_set_secrets(cred, event_ctx, lp_ctx, NULL,
SECRETS_PRINCIPALS_DN,
filter);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("Could not find krbtgt (master Kerberos) account in secrets database: %s", nt_errstr(status)));
}
return status;
}
NTSTATUS cli_credentials_update_all_keytabs(TALLOC_CTX *parent_ctx)
{
TALLOC_CTX *mem_ctx;
int ldb_ret;
struct ldb_context *ldb;
struct ldb_message **msgs;
const char *attrs[] = { NULL };
struct cli_credentials *creds;
const char *filter;
NTSTATUS status;
int i, ret;
mem_ctx = talloc_new(parent_ctx);
if (!mem_ctx) {
return NT_STATUS_NO_MEMORY;
}
/* Local secrets are stored in secrets.ldb */
ldb = secrets_db_connect(mem_ctx);
if (!ldb) {
DEBUG(1, ("Could not open secrets.ldb\n"));
talloc_free(mem_ctx);
return NT_STATUS_ACCESS_DENIED;
}
/* search for the secret record, but only of things we can
* actually update */
ldb_ret = gendb_search(ldb,
mem_ctx, NULL,
&msgs, attrs,
"(&(objectClass=kerberosSecret)(|(secret=*)(ntPwdHash=*)))");
if (ldb_ret == -1) {
DEBUG(1, ("Error looking for kerberos type secrets to push into a keytab:: %s", ldb_errstring(ldb)));
talloc_free(mem_ctx);
return NT_STATUS_INTERNAL_DB_CORRUPTION;
}
for (i=0; i < ldb_ret; i++) {
/* Make a credentials structure from it */
creds = cli_credentials_init(mem_ctx);
if (!creds) {
DEBUG(1, ("cli_credentials_init failed!"));
talloc_free(mem_ctx);
return NT_STATUS_NO_MEMORY;
}
cli_credentials_set_conf(creds);
filter = talloc_asprintf(mem_ctx, "dn=%s", ldb_dn_get_linearized(msgs[i]->dn));
status = cli_credentials_set_secrets(creds, NULL, filter);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("Failed to read secrets for keytab update for %s\n",
filter));
continue;
}
ret = cli_credentials_update_keytab(creds);
if (ret != 0) {
DEBUG(1, ("Failed to update keytab for %s\n",
filter));
continue;
}
}
return NT_STATUS_OK;
}
static int set_ldap_credentials(struct ldb_context *ldb, bool use_external)
{
const char *secrets_ldb_path, *sam_ldb_path;
char *private_dir, *p, *error_string;
struct ldb_context *secrets_ldb;
struct cli_credentials *cred;
struct loadparm_context *lp_ctx = ldb_get_opaque(ldb, "loadparm");
TALLOC_CTX *tmp_ctx = talloc_new(ldb);
if (!tmp_ctx) {
return ldb_oom(ldb);
}
cred = cli_credentials_init(ldb);
if (!cred) {
talloc_free(tmp_ctx);
return ldb_oom(ldb);
}
cli_credentials_set_anonymous(cred);
if (use_external) {
cli_credentials_set_forced_sasl_mech(cred, "EXTERNAL");
} else {
cli_credentials_set_forced_sasl_mech(cred, "DIGEST-MD5");
/*
* We don't want to use krb5 to talk to our samdb - recursion
* here would be bad, and this account isn't in the KDC
* anyway
*/
cli_credentials_set_kerberos_state(cred, CRED_DONT_USE_KERBEROS);
/*
* Work out where *our* secrets.ldb is. It must be in
* the same directory as sam.ldb
*/
sam_ldb_path = (const char *)ldb_get_opaque(ldb, "ldb_url");
if (!sam_ldb_path) {
talloc_free(tmp_ctx);
return ldb_operr(ldb);
}
if (strncmp("tdb://", sam_ldb_path, 6) == 0) {
sam_ldb_path += 6;
}
private_dir = talloc_strdup(tmp_ctx, sam_ldb_path);
p = strrchr(private_dir, '/');
if (p) {
*p = '\0';
} else {
private_dir = talloc_strdup(tmp_ctx, ".");
}
secrets_ldb_path = talloc_asprintf(private_dir, "tdb://%s/secrets.ldb",
private_dir);
if (!secrets_ldb_path) {
talloc_free(tmp_ctx);
return ldb_oom(ldb);
}
/*
* Now that we have found the location, connect to
* secrets.ldb so we can read the SamDB Credentials
* record
*/
secrets_ldb = ldb_wrap_connect(tmp_ctx, NULL, lp_ctx, secrets_ldb_path,
NULL, NULL, 0);
if (!NT_STATUS_IS_OK(cli_credentials_set_secrets(cred, NULL, secrets_ldb, NULL,
SECRETS_LDAP_FILTER, &error_string))) {
ldb_asprintf_errstring(ldb, "Failed to read LDAP backend password from %s", secrets_ldb_path);
talloc_free(tmp_ctx);
return LDB_ERR_STRONG_AUTH_REQUIRED;
}
}
/*
* Finally overwrite any supplied credentials with
* these ones, as only secrets.ldb contains the magic
* credentials to talk on the ldapi socket
*/
if (ldb_set_opaque(ldb, "credentials", cred)) {
talloc_free(tmp_ctx);
return ldb_operr(ldb);
}
talloc_free(tmp_ctx);
return LDB_SUCCESS;
}
