From e396a59788d77aa2fbf3b523c3773fe0e5c976c0 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 15 Jul 2008 15:07:13 +1000 Subject: [PATCH] Use secrets.ldb to store credentials to contact LDAP backend. This makes Samba4 behave much like Samba3 did, and use a single set of administrative credentials for it's connection to LDAP. Andrew Bartlett --- source/dsdb/samdb/samdb.c | 27 ++++++++++++++++++++++++++- source/ldap_server/ldap_backend.c | 9 +++++---- source/libnet/libnet_samsync_ldb.c | 10 ++++------ 3 files changed, 35 insertions(+), 11 deletions(-) diff --git a/source/dsdb/samdb/samdb.c b/source/dsdb/samdb/samdb.c index acc2c2a9a15..b5b7ddfdc6d 100644 --- a/source/dsdb/samdb/samdb.c +++ b/source/dsdb/samdb/samdb.c @@ -39,6 +39,8 @@ #include "dsdb/common/flags.h" #include "param/param.h" #include "lib/events/events.h" +#include "auth/credentials/credentials.h" +#include "param/secrets.h" char *samdb_relative_path(struct ldb_context *ldb, TALLOC_CTX *mem_ctx, @@ -67,6 +69,28 @@ char *samdb_relative_path(struct ldb_context *ldb, return full_name; } +struct cli_credentials *samdb_credentials(TALLOC_CTX *mem_ctx, + struct event_context *event_ctx, + struct loadparm_context *lp_ctx) +{ + struct cli_credentials *cred = cli_credentials_init(mem_ctx); + if (!cred) { + return NULL; + } + cli_credentials_set_conf(cred, lp_ctx); + + /* We don't want to use krb5 to talk to our samdb - recursion + * here would be bad, and this account isn't in the KDC + * anyway */ + cli_credentials_set_kerberos_state(cred, CRED_DONT_USE_KERBEROS); + + if (!NT_STATUS_IS_OK(cli_credentials_set_secrets(cred, event_ctx, lp_ctx, NULL, NULL, + SECRETS_LDAP_FILTER))) { + /* Perfectly OK - if not against an LDAP backend */ + return NULL; + } + return cred; +} /* connect to the SAM database @@ -80,7 +104,8 @@ struct ldb_context *samdb_connect(TALLOC_CTX *mem_ctx, struct ldb_context *ldb; ldb = ldb_wrap_connect(mem_ctx, ev_ctx, lp_ctx, lp_sam_url(lp_ctx), session_info, - NULL, 0, NULL); + samdb_credentials(mem_ctx, ev_ctx, lp_ctx), + 0, NULL); if (!ldb) { return NULL; } diff --git a/source/ldap_server/ldap_backend.c b/source/ldap_server/ldap_backend.c index 2193c989cf3..504dcf1c0f1 100644 --- a/source/ldap_server/ldap_backend.c +++ b/source/ldap_server/ldap_backend.c @@ -21,13 +21,13 @@ #include "ldap_server/ldap_server.h" #include "lib/util/dlinklist.h" #include "libcli/ldap/ldap.h" -#include "lib/ldb/include/ldb.h" -#include "lib/ldb/include/ldb_errors.h" -#include "lib/ldb_wrap.h" #include "auth/credentials/credentials.h" #include "auth/gensec/gensec.h" #include "param/param.h" #include "smbd/service_stream.h" +#include "dsdb/samdb/samdb.h" +#include "lib/ldb/include/ldb_errors.h" +#include "lib/ldb_wrap.h" #define VALID_DN_SYNTAX(dn,i) do {\ if (!(dn)) {\ @@ -61,7 +61,8 @@ NTSTATUS ldapsrv_backend_Init(struct ldapsrv_connection *conn) conn->lp_ctx, lp_sam_url(conn->lp_ctx), conn->session_info, - NULL, conn->global_catalog ? LDB_FLG_RDONLY : 0, NULL); + samdb_credentials(conn, conn->connection->event.ctx, conn->lp_ctx), + conn->global_catalog ? LDB_FLG_RDONLY : 0, NULL); if (conn->ldb == NULL) { return NT_STATUS_INTERNAL_DB_CORRUPTION; } diff --git a/source/libnet/libnet_samsync_ldb.c b/source/libnet/libnet_samsync_ldb.c index a79bf043a51..b223a74a31e 100644 --- a/source/libnet/libnet_samsync_ldb.c +++ b/source/libnet/libnet_samsync_ldb.c @@ -1222,12 +1222,10 @@ NTSTATUS libnet_samsync_ldb(struct libnet_context *ctx, TALLOC_CTX *mem_ctx, str state->secrets = NULL; state->trusted_domains = NULL; - state->sam_ldb = ldb_wrap_connect(mem_ctx, - ctx->event_ctx, - ctx->lp_ctx, - lp_sam_url(ctx->lp_ctx), - r->in.session_info, - ctx->cred, 0, NULL); + state->sam_ldb = samdb_connect(mem_ctx, + ctx->event_ctx, + ctx->lp_ctx, + r->in.session_info); r2.out.error_string = NULL; r2.in.binding_string = r->in.binding_string;