Use secrets.ldb to store credentials to contact LDAP backend.

This makes Samba4 behave much like Samba3 did, and use a single set of
administrative credentials for it's connection to LDAP.

Andrew Bartlett

source/dsdb/samdb/samdb.c

@@ -39,6 +39,8 @@
 #include "dsdb/common/flags.h"
 #include "param/param.h"
 #include "lib/events/events.h"
+#include "auth/credentials/credentials.h"
+#include "param/secrets.h"
 
 char *samdb_relative_path(struct ldb_context *ldb,
 				 TALLOC_CTX *mem_ctx, 
@@ -67,6 +69,28 @@ char *samdb_relative_path(struct ldb_context *ldb,
 	return full_name;
 }
 
+struct cli_credentials *samdb_credentials(TALLOC_CTX *mem_ctx, 
+					  struct event_context *event_ctx, 
+					  struct loadparm_context *lp_ctx) 
+{
+	struct cli_credentials *cred = cli_credentials_init(mem_ctx);
+	if (!cred) {
+		return NULL;
+	}
+	cli_credentials_set_conf(cred, lp_ctx);
+
+	/* We don't want to use krb5 to talk to our samdb - recursion
+	 * here would be bad, and this account isn't in the KDC
+	 * anyway */
+	cli_credentials_set_kerberos_state(cred, CRED_DONT_USE_KERBEROS);
+
+	if (!NT_STATUS_IS_OK(cli_credentials_set_secrets(cred, event_ctx, lp_ctx, NULL, NULL,
+							 SECRETS_LDAP_FILTER))) {
+		/* Perfectly OK - if not against an LDAP backend */
+		return NULL;
+	}
+	return cred;
+}
 
 /*
   connect to the SAM database
@@ -80,7 +104,8 @@ struct ldb_context *samdb_connect(TALLOC_CTX *mem_ctx,
 	struct ldb_context *ldb;
 	ldb = ldb_wrap_connect(mem_ctx, ev_ctx, lp_ctx, 
 			       lp_sam_url(lp_ctx), session_info,
-			       NULL, 0, NULL);
+			       samdb_credentials(mem_ctx, ev_ctx, lp_ctx), 
+			       0, NULL);
 	if (!ldb) {
 		return NULL;
 	}

source/ldap_server/ldap_backend.c

@@ -21,13 +21,13 @@
 #include "ldap_server/ldap_server.h"
 #include "lib/util/dlinklist.h"
 #include "libcli/ldap/ldap.h"
-#include "lib/ldb/include/ldb.h"
-#include "lib/ldb/include/ldb_errors.h"
-#include "lib/ldb_wrap.h"
 #include "auth/credentials/credentials.h"
 #include "auth/gensec/gensec.h"
 #include "param/param.h"
 #include "smbd/service_stream.h"
+#include "dsdb/samdb/samdb.h"
+#include "lib/ldb/include/ldb_errors.h"
+#include "lib/ldb_wrap.h"
 
 #define VALID_DN_SYNTAX(dn,i) do {\
 	if (!(dn)) {\
@@ -61,7 +61,8 @@ NTSTATUS ldapsrv_backend_Init(struct ldapsrv_connection *conn)
 				     conn->lp_ctx,
 				     lp_sam_url(conn->lp_ctx), 
 				     conn->session_info,
-				     NULL, conn->global_catalog ? LDB_FLG_RDONLY : 0, NULL);
+				     samdb_credentials(conn, conn->connection->event.ctx, conn->lp_ctx), 
+				     conn->global_catalog ? LDB_FLG_RDONLY : 0, NULL);
 	if (conn->ldb == NULL) {
 		return NT_STATUS_INTERNAL_DB_CORRUPTION;
 	}

source/libnet/libnet_samsync_ldb.c

@@ -1222,12 +1222,10 @@ NTSTATUS libnet_samsync_ldb(struct libnet_context *ctx, TALLOC_CTX *mem_ctx, str
 	state->secrets         = NULL;
 	state->trusted_domains = NULL;
 
-	state->sam_ldb         = ldb_wrap_connect(mem_ctx, 
-						  ctx->event_ctx,
-						  ctx->lp_ctx, 
-						  lp_sam_url(ctx->lp_ctx), 
-						  r->in.session_info,
-						  ctx->cred, 0, NULL);
+	state->sam_ldb         = samdb_connect(mem_ctx, 
+					       ctx->event_ctx,
+					       ctx->lp_ctx, 
+					       r->in.session_info);
 
 	r2.out.error_string    = NULL;
 	r2.in.binding_string   = r->in.binding_string;