search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
r85: Update the winbind interface version, as I just extended the struct.
[Samba/gebeck_regimport.git] / source3 / passdb / secrets.c
blob308f95f395b8e64b430111afc3639c8fa76ef6c4
1 /*
2 Unix SMB/CIFS implementation.
3 Copyright (C) Andrew Tridgell 1992-2001
4 Copyright (C) Andrew Bartlett 2002
5 Copyright (C) Rafal Szczesniak 2002
6 Copyright (C) Tim Potter 2001
7
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 2 of the License, or
11 (at your option) any later version.
12
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
17
18 You should have received a copy of the GNU General Public License
19 along with this program; if not, write to the Free Software
20 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
21 */
22
23 /* the Samba secrets database stores any generated, private information
24 such as the local SID and machine trust password */
25
26 #include "includes.h"
27
28 #undef DBGC_CLASS
29 #define DBGC_CLASS DBGC_PASSDB
30
31 static TDB_CONTEXT *tdb;
32
33 /* open up the secrets database */
34 BOOL secrets_init(void)
35 {
36 pstring fname;
37
38 if (tdb)
39 return True;
40
41 pstrcpy(fname, lp_private_dir());
42 pstrcat(fname,"/secrets.tdb");
43
44 tdb = tdb_open_log(fname, 0, TDB_DEFAULT, O_RDWR|O_CREAT, 0600);
45
46 if (!tdb) {
47 DEBUG(0,("Failed to open %s\n", fname));
48 return False;
49 }
50 return True;
51 }
52
53 /* read a entry from the secrets database - the caller must free the result
54 if size is non-null then the size of the entry is put in there
55 */
56 void *secrets_fetch(const char *key, size_t *size)
57 {
58 TDB_DATA kbuf, dbuf;
59 secrets_init();
60 if (!tdb)
61 return NULL;
62 kbuf.dptr = (char *)key;
63 kbuf.dsize = strlen(key);
64 dbuf = tdb_fetch(tdb, kbuf);
65 if (size)
66 *size = dbuf.dsize;
67 return dbuf.dptr;
68 }
69
70 /* store a secrets entry
71 */
72 BOOL secrets_store(const char *key, const void *data, size_t size)
73 {
74 TDB_DATA kbuf, dbuf;
75 secrets_init();
76 if (!tdb)
77 return False;
78 kbuf.dptr = (char *)key;
79 kbuf.dsize = strlen(key);
80 dbuf.dptr = (char *)data;
81 dbuf.dsize = size;
82 return tdb_store(tdb, kbuf, dbuf, TDB_REPLACE) == 0;
83 }
84
85
86 /* delete a secets database entry
87 */
88 BOOL secrets_delete(const char *key)
89 {
90 TDB_DATA kbuf;
91 secrets_init();
92 if (!tdb)
93 return False;
94 kbuf.dptr = (char *)key;
95 kbuf.dsize = strlen(key);
96 return tdb_delete(tdb, kbuf) == 0;
97 }
98
99 BOOL secrets_store_domain_sid(const char *domain, const DOM_SID *sid)
100 {
101 fstring key;
102 BOOL ret;
103
104 slprintf(key, sizeof(key)-1, "%s/%s", SECRETS_DOMAIN_SID, domain);
105 strupper_m(key);
106 ret = secrets_store(key, sid, sizeof(DOM_SID));
107
108 /* Force a re-query, in case we modified our domain */
109 if (ret)
110 reset_global_sam_sid();
111 return ret;
112 }
113
114 BOOL secrets_fetch_domain_sid(const char *domain, DOM_SID *sid)
115 {
116 DOM_SID *dyn_sid;
117 fstring key;
118 size_t size;
119
120 slprintf(key, sizeof(key)-1, "%s/%s", SECRETS_DOMAIN_SID, domain);
121 strupper_m(key);
122 dyn_sid = (DOM_SID *)secrets_fetch(key, &size);
123
124 if (dyn_sid == NULL)
125 return False;
126
127 if (size != sizeof(DOM_SID))
128 {
129 SAFE_FREE(dyn_sid);
130 return False;
131 }
132
133 *sid = *dyn_sid;
134 SAFE_FREE(dyn_sid);
135 return True;
136 }
137
138 BOOL secrets_store_domain_guid(const char *domain, GUID *guid)
139 {
140 fstring key;
141
142 slprintf(key, sizeof(key)-1, "%s/%s", SECRETS_DOMAIN_GUID, domain);
143 strupper_m(key);
144 return secrets_store(key, guid, sizeof(GUID));
145 }
146
147 BOOL secrets_fetch_domain_guid(const char *domain, GUID *guid)
148 {
149 GUID *dyn_guid;
150 fstring key;
151 size_t size;
152 GUID new_guid;
153
154 slprintf(key, sizeof(key)-1, "%s/%s", SECRETS_DOMAIN_GUID, domain);
155 strupper_m(key);
156 dyn_guid = (GUID *)secrets_fetch(key, &size);
157
158 DEBUG(6,("key is %s, size is %d\n", key, (int)size));
159
160 if ((NULL == dyn_guid) && (ROLE_DOMAIN_PDC == lp_server_role())) {
161 smb_uuid_generate_random(&new_guid);
162 if (!secrets_store_domain_guid(domain, &new_guid))
163 return False;
164 dyn_guid = (GUID *)secrets_fetch(key, &size);
165 if (dyn_guid == NULL)
166 return False;
167 }
168
169 if (size != sizeof(GUID))
170 {
171 SAFE_FREE(dyn_guid);
172 return False;
173 }
174
175 *guid = *dyn_guid;
176 SAFE_FREE(dyn_guid);
177 return True;
178 }
179
180 /**
181 * Form a key for fetching the machine trust account password
182 *
183 * @param domain domain name
184 *
185 * @return stored password's key
186 **/
187 const char *trust_keystr(const char *domain)
188 {
189 static fstring keystr;
190
191 slprintf(keystr,sizeof(keystr)-1,"%s/%s",
192 SECRETS_MACHINE_ACCT_PASS, domain);
193 strupper_m(keystr);
194
195 return keystr;
196 }
197
198 /**
199 * Form a key for fetching a trusted domain password
200 *
201 * @param domain trusted domain name
202 *
203 * @return stored password's key
204 **/
205 static char *trustdom_keystr(const char *domain)
206 {
207 static pstring keystr;
208
209 pstr_sprintf(keystr, "%s/%s", SECRETS_DOMTRUST_ACCT_PASS, domain);
210 strupper_m(keystr);
211
212 return keystr;
213 }
214
215 /************************************************************************
216 Lock the trust password entry.
217 ************************************************************************/
218
219 BOOL secrets_lock_trust_account_password(const char *domain, BOOL dolock)
220 {
221 if (!tdb)
222 return False;
223
224 if (dolock)
225 return (tdb_lock_bystring(tdb, trust_keystr(domain),0) == 0);
226 else
227 tdb_unlock_bystring(tdb, trust_keystr(domain));
228 return True;
229 }
230
231 /************************************************************************
232 Routine to get the default secure channel type for trust accounts
233 ************************************************************************/
234
235 uint32 get_default_sec_channel(void)
236 {
237 if (lp_server_role() == ROLE_DOMAIN_BDC ||
238 lp_server_role() == ROLE_DOMAIN_PDC) {
239 return SEC_CHAN_BDC;
240 } else {
241 return SEC_CHAN_WKSTA;
242 }
243 }
244
245 /************************************************************************
246 Routine to get the trust account password for a domain.
247 The user of this function must have locked the trust password file using
248 the above call.
249 ************************************************************************/
250
251 BOOL secrets_fetch_trust_account_password(const char *domain, uint8 ret_pwd[16],
252 time_t *pass_last_set_time,
253 uint32 *channel)
254 {
255 struct machine_acct_pass *pass;
256 char *plaintext;
257 size_t size;
258
259 plaintext = secrets_fetch_machine_password(domain, pass_last_set_time,
260 channel);
261 if (plaintext) {
262 DEBUG(4,("Using cleartext machine password\n"));
263 E_md4hash(plaintext, ret_pwd);
264 SAFE_FREE(plaintext);
265 return True;
266 }
267
268 if (!(pass = secrets_fetch(trust_keystr(domain), &size))) {
269 DEBUG(5, ("secrets_fetch failed!\n"));
270 return False;
271 }
272
273 if (size != sizeof(*pass)) {
274 DEBUG(0, ("secrets were of incorrect size!\n"));
275 return False;
276 }
277
278 if (pass_last_set_time) *pass_last_set_time = pass->mod_time;
279 memcpy(ret_pwd, pass->hash, 16);
280 SAFE_FREE(pass);
281
282 if (channel)
283 *channel = get_default_sec_channel();
284
285 return True;
286 }
287
288 /************************************************************************
289 Routine to get account password to trusted domain
290 ************************************************************************/
291
292 BOOL secrets_fetch_trusted_domain_password(const char *domain, char** pwd,
293 DOM_SID *sid, time_t *pass_last_set_time)
294 {
295 struct trusted_dom_pass pass;
296 size_t size;
297
298 /* unpacking structures */
299 char* pass_buf;
300 int pass_len = 0;
301
302 ZERO_STRUCT(pass);
303
304 /* fetching trusted domain password structure */
305 if (!(pass_buf = secrets_fetch(trustdom_keystr(domain), &size))) {
306 DEBUG(5, ("secrets_fetch failed!\n"));
307 return False;
308 }
309
310 /* unpack trusted domain password */
311 pass_len = tdb_trusted_dom_pass_unpack(pass_buf, size, &pass);
312 SAFE_FREE(pass_buf);
313
314 if (pass_len != size) {
315 DEBUG(5, ("Invalid secrets size. Unpacked data doesn't match trusted_dom_pass structure.\n"));
316 return False;
317 }
318
319 /* the trust's password */
320 if (pwd) {
321 *pwd = strdup(pass.pass);
322 if (!*pwd) {
323 return False;
324 }
325 }
326
327 /* last change time */
328 if (pass_last_set_time) *pass_last_set_time = pass.mod_time;
329
330 /* domain sid */
331 sid_copy(sid, &pass.domain_sid);
332
333 return True;
334 }
335
336 /************************************************************************
337 Routine to set the trust account password for a domain.
338 ************************************************************************/
339
340 BOOL secrets_store_trust_account_password(const char *domain, uint8 new_pwd[16])
341 {
342 struct machine_acct_pass pass;
343
344 pass.mod_time = time(NULL);
345 memcpy(pass.hash, new_pwd, 16);
346
347 return secrets_store(trust_keystr(domain), (void *)&pass, sizeof(pass));
348 }
349
350 /**
351 * Routine to store the password for trusted domain
352 *
353 * @param domain remote domain name
354 * @param pwd plain text password of trust relationship
355 * @param sid remote domain sid
356 *
357 * @return true if succeeded
358 **/
359
360 BOOL secrets_store_trusted_domain_password(const char* domain, smb_ucs2_t *uni_dom_name,
361 size_t uni_name_len, const char* pwd,
362 DOM_SID sid)
363 {
364 /* packing structures */
365 pstring pass_buf;
366 int pass_len = 0;
367 int pass_buf_len = sizeof(pass_buf);
368
369 struct trusted_dom_pass pass;
370 ZERO_STRUCT(pass);
371
372 /* unicode domain name and its length */
373 if (!uni_dom_name)
374 return False;
375
376 strncpy_w(pass.uni_name, uni_dom_name, sizeof(pass.uni_name) - 1);
377 pass.uni_name_len = uni_name_len;
378
379 /* last change time */
380 pass.mod_time = time(NULL);
381
382 /* password of the trust */
383 pass.pass_len = strlen(pwd);
384 fstrcpy(pass.pass, pwd);
385
386 /* domain sid */
387 sid_copy(&pass.domain_sid, &sid);
388
389 pass_len = tdb_trusted_dom_pass_pack(pass_buf, pass_buf_len, &pass);
390
391 return secrets_store(trustdom_keystr(domain), (void *)&pass_buf, pass_len);
392 }
393
394 /************************************************************************
395 Routine to set the plaintext machine account password for a realm
396 the password is assumed to be a null terminated ascii string
397 ************************************************************************/
398
399 BOOL secrets_store_machine_password(const char *pass, const char *domain, uint32 sec_channel)
400 {
401 char *key = NULL;
402 BOOL ret;
403 uint32 last_change_time;
404 uint32 sec_channel_type;
405
406 asprintf(&key, "%s/%s", SECRETS_MACHINE_PASSWORD, domain);
407 if (!key)
408 return False;
409 strupper_m(key);
410
411 ret = secrets_store(key, pass, strlen(pass)+1);
412 SAFE_FREE(key);
413
414 if (!ret)
415 return ret;
416
417 asprintf(&key, "%s/%s", SECRETS_MACHINE_LAST_CHANGE_TIME, domain);
418 if (!key)
419 return False;
420 strupper_m(key);
421
422 SIVAL(&last_change_time, 0, time(NULL));
423 ret = secrets_store(key, &last_change_time, sizeof(last_change_time));
424 SAFE_FREE(key);
425
426 asprintf(&key, "%s/%s", SECRETS_MACHINE_SEC_CHANNEL_TYPE, domain);
427 if (!key)
428 return False;
429 strupper_m(key);
430
431 SIVAL(&sec_channel_type, 0, sec_channel);
432 ret = secrets_store(key, &sec_channel_type, sizeof(sec_channel_type));
433 SAFE_FREE(key);
434
435 return ret;
436 }
437
438
439 /************************************************************************
440 Routine to fetch the plaintext machine account password for a realm
441 the password is assumed to be a null terminated ascii string
442 ************************************************************************/
443 char *secrets_fetch_machine_password(const char *domain,
444 time_t *pass_last_set_time,
445 uint32 *channel)
446 {
447 char *key = NULL;
448 char *ret;
449 asprintf(&key, "%s/%s", SECRETS_MACHINE_PASSWORD, domain);
450 strupper_m(key);
451 ret = (char *)secrets_fetch(key, NULL);
452 SAFE_FREE(key);
453
454 if (pass_last_set_time) {
455 size_t size;
456 uint32 *last_set_time;
457 asprintf(&key, "%s/%s", SECRETS_MACHINE_LAST_CHANGE_TIME, domain);
458 strupper_m(key);
459 last_set_time = secrets_fetch(key, &size);
460 if (last_set_time) {
461 *pass_last_set_time = IVAL(last_set_time,0);
462 SAFE_FREE(last_set_time);
463 } else {
464 *pass_last_set_time = 0;
465 }
466 SAFE_FREE(key);
467 }
468
469 if (channel) {
470 size_t size;
471 uint32 *channel_type;
472 asprintf(&key, "%s/%s", SECRETS_MACHINE_SEC_CHANNEL_TYPE, domain);
473 strupper_m(key);
474 channel_type = secrets_fetch(key, &size);
475 if (channel_type) {
476 *channel = IVAL(channel_type,0);
477 SAFE_FREE(channel_type);
478 } else {
479 *channel = get_default_sec_channel();
480 }
481 SAFE_FREE(key);
482 }
483
484 return ret;
485 }
486
487
488
489 /************************************************************************
490 Routine to delete the machine trust account password file for a domain.
491 ************************************************************************/
492
493 BOOL trust_password_delete(const char *domain)
494 {
495 return secrets_delete(trust_keystr(domain));
496 }
497
498 /************************************************************************
499 Routine to delete the password for trusted domain
500 ************************************************************************/
501
502 BOOL trusted_domain_password_delete(const char *domain)
503 {
504 return secrets_delete(trustdom_keystr(domain));
505 }
506
507
508 /*******************************************************************
509 Reset the 'done' variables so after a client process is created
510 from a fork call these calls will be re-done. This should be
511 expanded if more variables need reseting.
512 ******************************************************************/
513
514 void reset_globals_after_fork(void)
515 {
516 unsigned char dummy;
517
518 secrets_init();
519
520 /*
521 * Increment the global seed value to ensure every smbd starts
522 * with a new random seed.
523 */
524
525 if (tdb) {
526 uint32 initial_val = sys_getpid();
527 tdb_change_int32_atomic(tdb, "INFO/random_seed", (int *)&initial_val, 1);
528 set_rand_reseed_data((unsigned char *)&initial_val, sizeof(initial_val));
529 }
530
531 /*
532 * Re-seed the random crypto generator, so all smbd's
533 * started from the same parent won't generate the same
534 * sequence.
535 */
536 generate_random_buffer( &dummy, 1, True);
537 }
538
539 BOOL secrets_store_ldap_pw(const char* dn, char* pw)
540 {
541 char *key = NULL;
542 BOOL ret;
543
544 if (asprintf(&key, "%s/%s", SECRETS_LDAP_BIND_PW, dn) < 0) {
545 DEBUG(0, ("secrets_store_ldap_pw: asprintf failed!\n"));
546 return False;
547 }
548
549 ret = secrets_store(key, pw, strlen(pw)+1);
550
551 SAFE_FREE(key);
552 return ret;
553 }
554
555
556 /**
557 * Get trusted domains info from secrets.tdb.
558 *
559 * The linked list is allocated on the supplied talloc context, caller gets to destroy
560 * when done.
561 *
562 * @param ctx Allocation context
563 * @param enum_ctx Starting index, eg. we can start fetching at third
564 * or sixth trusted domain entry. Zero is the first index.
565 * Value it is set to is the enum context for the next enumeration.
566 * @param num_domains Number of domain entries to fetch at one call
567 * @param domains Pointer to array of trusted domain structs to be filled up
568 *
569 * @return nt status code of rpc response
570 **/
571
572 NTSTATUS secrets_get_trusted_domains(TALLOC_CTX* ctx, int* enum_ctx, unsigned int max_num_domains, int *num_domains, TRUSTDOM ***domains)
573 {
574 TDB_LIST_NODE *keys, *k;
575 TRUSTDOM *dom = NULL;
576 char *pattern;
577 unsigned int start_idx;
578 uint32 idx = 0;
579 size_t size, packed_size = 0;
580 fstring dom_name;
581 char *packed_pass;
582 struct trusted_dom_pass *pass = talloc_zero(ctx, sizeof(struct trusted_dom_pass));
583 NTSTATUS status;
584
585 if (!secrets_init()) return NT_STATUS_ACCESS_DENIED;
586
587 if (!pass) {
588 DEBUG(0, ("talloc_zero failed!\n"));
589 return NT_STATUS_NO_MEMORY;
590 }
591
592 *num_domains = 0;
593 start_idx = *enum_ctx;
594
595 /* generate searching pattern */
596 if (!(pattern = talloc_asprintf(ctx, "%s/*", SECRETS_DOMTRUST_ACCT_PASS))) {
597 DEBUG(0, ("secrets_get_trusted_domains: talloc_asprintf() failed!\n"));
598 return NT_STATUS_NO_MEMORY;
599 }
600
601 DEBUG(5, ("secrets_get_trusted_domains: looking for %d domains, starting at index %d\n",
602 max_num_domains, *enum_ctx));
603
604 *domains = talloc_zero(ctx, sizeof(**domains)*max_num_domains);
605
606 /* fetching trusted domains' data and collecting them in a list */
607 keys = tdb_search_keys(tdb, pattern);
608
609 /*
610 * if there's no keys returned ie. no trusted domain,
611 * return "no more entries" code
612 */
613 status = NT_STATUS_NO_MORE_ENTRIES;
614
615 /* searching for keys in secrets db -- way to go ... */
616 for (k = keys; k; k = k->next) {
617 char *secrets_key;
618
619 /* important: ensure null-termination of the key string */
620 secrets_key = strndup(k->node_key.dptr, k->node_key.dsize);
621 if (!secrets_key) {
622 DEBUG(0, ("strndup failed!\n"));
623 return NT_STATUS_NO_MEMORY;
624 }
625
626 packed_pass = secrets_fetch(secrets_key, &size);
627 packed_size = tdb_trusted_dom_pass_unpack(packed_pass, size, pass);
628 /* packed representation isn't needed anymore */
629 SAFE_FREE(packed_pass);
630
631 if (size != packed_size) {
632 DEBUG(2, ("Secrets record %s is invalid!\n", secrets_key));
633 continue;
634 }
635
636 pull_ucs2_fstring(dom_name, pass->uni_name);
637 DEBUG(18, ("Fetched secret record num %d.\nDomain name: %s, SID: %s\n",
638 idx, dom_name, sid_string_static(&pass->domain_sid)));
639
640 SAFE_FREE(secrets_key);
641
642 if (idx >= start_idx && idx < start_idx + max_num_domains) {
643 dom = talloc_zero(ctx, sizeof(*dom));
644 if (!dom) {
645 /* free returned tdb record */
646 return NT_STATUS_NO_MEMORY;
647 }
648
649 /* copy domain sid */
650 SMB_ASSERT(sizeof(dom->sid) == sizeof(pass->domain_sid));
651 memcpy(&(dom->sid), &(pass->domain_sid), sizeof(dom->sid));
652
653 /* copy unicode domain name */
654 dom->name = talloc_strdup_w(ctx, pass->uni_name);
655
656 (*domains)[idx - start_idx] = dom;
657
658 DEBUG(18, ("Secret record is in required range.\n \
659 start_idx = %d, max_num_domains = %d. Added to returned array.\n",
660 start_idx, max_num_domains));
661
662 *enum_ctx = idx + 1;
663 (*num_domains)++;
664
665 /* set proper status code to return */
666 if (k->next) {
667 /* there are yet some entries to enumerate */
668 status = STATUS_MORE_ENTRIES;
669 } else {
670 /* this is the last entry in the whole enumeration */
671 status = NT_STATUS_OK;
672 }
673 } else {
674 DEBUG(18, ("Secret is outside the required range.\n \
675 start_idx = %d, max_num_domains = %d. Not added to returned array\n",
676 start_idx, max_num_domains));
677 }
678
679 idx++;
680 }
681
682 DEBUG(5, ("secrets_get_trusted_domains: got %d domains\n", *num_domains));
683
684 /* free the results of searching the keys */
685 tdb_search_list_free(keys);
686
687 return status;
688 }
689
690 /*******************************************************************************
691 Lock the secrets tdb based on a string - this is used as a primitive form of mutex
692 between smbd instances.
693 *******************************************************************************/
694
695 BOOL secrets_named_mutex(const char *name, unsigned int timeout)
696 {
697 int ret = 0;
698
699 if (!message_init())
700 return False;
701
702 ret = tdb_lock_bystring(tdb, name, timeout);
703 if (ret == 0)
704 DEBUG(10,("secrets_named_mutex: got mutex for %s\n", name ));
705
706 return (ret == 0);
707 }
708
709 /*******************************************************************************
710 Unlock a named mutex.
711 *******************************************************************************/
712
713 void secrets_named_mutex_release(const char *name)
714 {
715 tdb_unlock_bystring(tdb, name);
716 DEBUG(10,("secrets_named_mutex: released mutex for %s\n", name ));
717 }
718
719 /*********************************************************
720 Check to see if we must talk to the PDC to avoid sam
721 sync delays
722 ********************************************************/
723
724 BOOL must_use_pdc( const char *domain )
725 {
726 time_t now = time(NULL);
727 time_t last_change_time;
728 unsigned char passwd[16];
729
730 if ( !secrets_fetch_trust_account_password(domain, passwd, &last_change_time, NULL) )
731 return False;
732
733 /*
734 * If the time the machine password has changed
735 * was less than about 15 minutes then we need to contact
736 * the PDC only, as we cannot be sure domain replication
737 * has yet taken place. Bug found by Gerald (way to go
738 * Gerald !). JRA.
739 */
740
741 if ( now - last_change_time < SAM_SYNC_WINDOW )
742 return True;
743
744 return False;
745
746 }
747
748 /*******************************************************************************
749 Store a complete AFS keyfile into secrets.tdb.
750 *******************************************************************************/
751
752 BOOL secrets_store_afs_keyfile(const char *cell, const struct afs_keyfile *keyfile)
753 {
754 fstring key;
755
756 if ((cell == NULL) || (keyfile == NULL))
757 return False;
758
759 if (ntohl(keyfile->nkeys) > SECRETS_AFS_MAXKEYS)
760 return False;
761
762 slprintf(key, sizeof(key)-1, "%s/%s", SECRETS_AFS_KEYFILE, cell);
763 return secrets_store(key, keyfile, sizeof(struct afs_keyfile));
764 }
765
766 /*******************************************************************************
767 Fetch the current (highest) AFS key from secrets.tdb
768 *******************************************************************************/
769 BOOL secrets_fetch_afs_key(const char *cell, struct afs_key *result)
770 {
771 fstring key;
772 struct afs_keyfile *keyfile;
773 size_t size;
774 uint32 i;
775
776 slprintf(key, sizeof(key)-1, "%s/%s", SECRETS_AFS_KEYFILE, cell);
777
778 keyfile = (struct afs_keyfile *)secrets_fetch(key, &size);
779
780 if (keyfile == NULL)
781 return False;
782
783 if (size != sizeof(struct afs_keyfile)) {
784 SAFE_FREE(keyfile);
785 return False;
786 }
787
788 i = ntohl(keyfile->nkeys);
789
790 if (i > SECRETS_AFS_MAXKEYS) {
791 SAFE_FREE(keyfile);
792 return False;
793 }
794
795 *result = keyfile->entry[i-1];
796
797 result->kvno = ntohl(result->kvno);
798
799 return True;
800 }
801
802 /******************************************************************************
803 When kerberos is not available, choose between anonymous or
804 authenticated connections.
805
806 We need to use an authenticated connection if DCs have the
807 RestrictAnonymous registry entry set > 0, or the "Additional
808 restrictions for anonymous connections" set in the win2k Local
809 Security Policy.
810
811 Caller to free() result in domain, username, password
812 *******************************************************************************/
813 void secrets_fetch_ipc_userpass(char **username, char **domain, char **password)
814 {
815 *username = secrets_fetch(SECRETS_AUTH_USER, NULL);
816 *domain = secrets_fetch(SECRETS_AUTH_DOMAIN, NULL);
817 *password = secrets_fetch(SECRETS_AUTH_PASSWORD, NULL);
818
819 if (*username && **username) {
820
821 if (!*domain || !**domain)
822 *domain = smb_xstrdup(lp_workgroup());
823
824 if (!*password || !**password)
825 *password = smb_xstrdup("");
826
827 DEBUG(3, ("IPC$ connections done by user %s\\%s\n",
828 *domain, *username));
829
830 } else {
831 DEBUG(3, ("IPC$ connections done anonymously\n"));
832 *username = smb_xstrdup("");
833 *domain = smb_xstrdup("");
834 *password = smb_xstrdup("");
835 }
836 }
837
reg import