added a REALLY gross hack into kerberos_kinit_password so that

winbindd can do a kinit
this will be removed once we have code that gets a tgt
and puts it in a place where cyrus-sasl can see it
(This used to be commit 7d94f1b7365215a020d3678d03d820a7d086174f)

source3/include/ads.h

@@ -12,6 +12,7 @@ typedef struct {
 	int ldap_port;
 	char *bind_path;
 	time_t last_attempt;
+	char *password;
 } ADS_STRUCT;
 
 

source3/libads/ads_struct.c

@@ -134,7 +134,8 @@ static char *find_ldap_server(ADS_STRUCT *ads)
 */
 ADS_STRUCT *ads_init(const char *realm, 
 		     const char *ldap_server,
-		     const char *bind_path)
+		     const char *bind_path,
+		     const char *password)
 {
 	ADS_STRUCT *ads;
 	
@@ -145,6 +146,7 @@ ADS_STRUCT *ads_init(const char *realm,
 	ads->ldap_server = ldap_server? strdup(ldap_server) : NULL;
 	ads->bind_path = bind_path? strdup(bind_path) : NULL;
 	ads->ldap_port = LDAP_PORT;
+	if (password) ads->password = strdup(password);
 
 	if (!ads->realm) {
 		ads->realm = strdup(lp_realm());
@@ -181,6 +183,7 @@ void ads_destroy(ADS_STRUCT **ads)
 		SAFE_FREE((*ads)->ldap_server);
 		SAFE_FREE((*ads)->kdc_server);
 		SAFE_FREE((*ads)->bind_path);
+		SAFE_FREE((*ads)->password);
 		ZERO_STRUCTP(*ads);
 		SAFE_FREE(*ads);
 	}

source3/libads/kerberos.c

@@ -23,6 +23,27 @@
 
 #ifdef HAVE_KRB5
 
+
+/* VERY nasty hack until we have proper kerberos code for this */
+void kerberos_kinit_password(ADS_STRUCT *ads)
+{
+	char *s;
+	FILE *f;
+	extern pstring global_myname;
+	fstring myname;
+	fstrcpy(myname, global_myname);
+	strlower(myname);
+	asprintf(&s, "kinit 'HOST/%s@%s'", global_myname, ads->realm);
+	DEBUG(0,("HACK!! Running %s\n", s));
+	f = popen(s, "w");
+	if (f) {
+		fprintf(f,"%s\n", ads->password);
+		fflush(f);
+		fclose(f);
+	}
+	free(s);
+}
+
 /*
   verify an incoming ticket and parse out the principal name and 
   authorization_data if available 

source3/libads/ldap.c

@@ -70,6 +70,10 @@ int ads_connect(ADS_STRUCT *ads)
 	}
 	ldap_set_option(ads->ld, LDAP_OPT_PROTOCOL_VERSION, &version);
 
+	if (ads->password) {
+		kerberos_kinit_password(ads);
+	}
+
 	rc = ldap_sasl_interactive_bind_s(ads->ld, NULL, NULL, NULL, NULL, 
 					  LDAP_SASL_QUIET,
 					  sasl_interact, NULL);

source3/nsswitch/winbindd_ads.c

@@ -38,7 +38,7 @@ static ADS_STRUCT *ads_cached_connection(struct winbindd_domain *domain)
 		return (ADS_STRUCT *)domain->private;
 	}
 
-	ads = ads_init(NULL, NULL, NULL);
+	ads = ads_init(NULL, NULL, NULL, secrets_fetch_machine_password());
 	if (!ads) {
 		DEBUG(1,("ads_init for domain %s failed\n", domain->name));
 		return NULL;

source3/smbd/negprot.c

@@ -186,7 +186,7 @@ static int negprot_spnego(char *p)
 #endif
 	{
 		ADS_STRUCT *ads;
-		ads = ads_init(NULL, NULL, NULL);
+		ads = ads_init(NULL, NULL, NULL, NULL);
 		
 		/* win2000 uses host$@REALM, which we will probably use eventually,
 		   but for now this works */

source3/smbd/sesssetup.c

@@ -87,7 +87,7 @@ static int reply_spnego_kerberos(connection_struct *conn,
 		return ERROR_NT(NT_STATUS_LOGON_FAILURE);
 	}
 
-	ads = ads_init(NULL, NULL, NULL);
+	ads = ads_init(NULL, NULL, NULL, NULL);
 
 	ret = ads_verify_ticket(ads, &ticket, &client, &auth_data);
 	if (!NT_STATUS_IS_OK(ret)) {

source3/utils/net_ads.c

@@ -44,7 +44,7 @@ static ADS_STRUCT *ads_startup(void)
 {
 	ADS_STRUCT *ads;
 	int rc;
-	ads = ads_init(NULL, NULL, NULL);
+	ads = ads_init(NULL, NULL, NULL, NULL);
 
 	rc = ads_connect(ads);
 	if (rc) {