s4:objectclass LDB module - we should not simply ignore additional "objectClass"...
[Samba/gebeck_regimport.git] / source3 / libads / kerberos_util.c
blob4762e1b91436f6a7f1a0548a9ef06c97bbf41772
1 /*
2 Unix SMB/CIFS implementation.
3 krb5 set password implementation
4 Copyright (C) Andrew Tridgell 2001
5 Copyright (C) Remus Koos 2001 (remuskoos@yahoo.com)
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License as published by
9 the Free Software Foundation; either version 3 of the License, or
10 (at your option) any later version.
12 This program is distributed in the hope that it will be useful,
13 but WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 GNU General Public License for more details.
17 You should have received a copy of the GNU General Public License
18 along with this program. If not, see <http://www.gnu.org/licenses/>.
21 #include "includes.h"
22 #include "smb_krb5.h"
23 #include "ads.h"
25 #ifdef HAVE_KRB5
27 /**
28 * Set the machine account password
29 * @param ads connection to ads server
30 * @param hostname machine whose password is being set
31 * @param password new password
32 * @return status of password change
33 **/
34 ADS_STATUS ads_set_machine_password(ADS_STRUCT *ads,
35 const char *machine_account,
36 const char *password)
38 ADS_STATUS status;
39 char *principal = NULL;
42 we need to use the '$' form of the name here (the machine account name),
43 as otherwise the server might end up setting the password for a user
44 instead
46 if (asprintf(&principal, "%s@%s", machine_account, ads->config.realm) < 0) {
47 return ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
50 status = ads_krb5_set_password(ads->auth.kdc_server, principal,
51 password, ads->auth.time_offset);
53 SAFE_FREE(principal);
54 return status;
57 /* run kinit to setup our ccache */
58 int ads_kinit_password(ADS_STRUCT *ads)
60 char *s;
61 int ret;
62 const char *account_name;
63 fstring acct_name;
65 if (ads->auth.flags & ADS_AUTH_USER_CREDS) {
66 account_name = ads->auth.user_name;
67 goto got_accountname;
70 if ( IS_DC ) {
71 /* this will end up getting a ticket for DOMAIN@RUSTED.REA.LM */
72 account_name = lp_workgroup();
73 } else {
74 /* always use the sAMAccountName for security = domain */
75 /* global_myname()$@REA.LM */
76 if ( lp_security() == SEC_DOMAIN ) {
77 fstr_sprintf( acct_name, "%s$", global_myname() );
78 account_name = acct_name;
80 else
81 /* This looks like host/global_myname()@REA.LM */
82 account_name = ads->auth.user_name;
85 got_accountname:
86 if (asprintf(&s, "%s@%s", account_name, ads->auth.realm) == -1) {
87 return KRB5_CC_NOMEM;
90 if (!ads->auth.password) {
91 SAFE_FREE(s);
92 return KRB5_LIBOS_CANTREADPWD;
95 ret = kerberos_kinit_password_ext(s, ads->auth.password, ads->auth.time_offset,
96 &ads->auth.tgt_expire, NULL, NULL, False, False, ads->auth.renewable,
97 NULL);
99 if (ret) {
100 DEBUG(0,("kerberos_kinit_password %s failed: %s\n",
101 s, error_message(ret)));
103 SAFE_FREE(s);
104 return ret;
107 #endif