const struct winbindd_domain *creds_domain = NULL;
struct cli_credentials *creds;
NTSTATUS status;
+ bool force_machine_account = false;
/* If we are a DC and this is not our own domain */
- if (IS_DC && netlogon) {
+ if (!domain->active_directory) {
+ if (!netlogon) {
+ /*
+ * For non active directory domains
+ * we can only use NTLMSSP for SMB.
+ *
+ * But the trust account is not allowed
+ * to use SMB with NTLMSSP.
+ */
+ force_machine_account = true;
+ }
+ }
+
+ if (IS_DC && !force_machine_account) {
creds_domain = domain;
} else {
creds_domain = find_our_domain();
goto ipc_fallback;
}
- if (lp_server_role() == ROLE_ACTIVE_DIRECTORY_DC) {
- cli_credentials_set_kerberos_state(creds,
- CRED_MUST_USE_KERBEROS);
- }
-
if (domain->primary && lp_security() == SEC_ADS) {
cli_credentials_set_kerberos_state(creds,
CRED_AUTO_USE_KERBEROS);
- } else if (!domain->active_directory) {
+ } else if (domain->active_directory) {
+ cli_credentials_set_kerberos_state(creds,
+ CRED_MUST_USE_KERBEROS);
+ } else {
cli_credentials_set_kerberos_state(creds,
CRED_DONT_USE_KERBEROS);
}
machine_domain);
if (NT_STATUS_IS_OK(result)) {
- if (krb5_state != CRED_MUST_USE_KERBEROS) {
- /* Ensure creds are stored for NTLMSSP authenticated pipe access. */
- result = cli_init_creds(*cli, machine_account, machine_domain);
- if (!NT_STATUS_IS_OK(result)) {
- goto done;
- }
- }
goto session_setup_done;
}
}
if (NT_STATUS_IS_OK(result)) {
- /* Ensure creds are stored for NTLMSSP authenticated pipe access. */
- result = cli_init_creds(*cli, machine_account, machine_domain, machine_password);
- if (!NT_STATUS_IS_OK(result)) {
- goto done;
- }
goto session_setup_done;
}
*/
if (NT_STATUS_EQUAL(result, NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT)
|| NT_STATUS_EQUAL(result, NT_STATUS_TRUSTED_DOMAIN_FAILURE)
+ || NT_STATUS_EQUAL(result, NT_STATUS_INVALID_ACCOUNT_NAME)
|| NT_STATUS_EQUAL(result, NT_STATUS_LOGON_FAILURE))
{
if (cli_credentials_is_anonymous(creds)) {
machine_domain);
if (NT_STATUS_IS_OK(result)) {
- /* Ensure creds are stored for NTLMSSP authenticated pipe access. */
- result = cli_init_creds(*cli, machine_account, machine_domain);
- if (!NT_STATUS_IS_OK(result)) {
- goto done;
- }
goto session_setup_done;
}
goto done;
}
- creds = cli_credentials_init_anon(talloc_tos());
- if (creds == NULL) {
- result = NT_STATUS_NO_MEMORY;
- goto done;
- }
-
- machine_account = cli_credentials_get_username(creds);
- machine_password = cli_credentials_get_password(creds);
- machine_domain = cli_credentials_get_domain(creds);
-
/* Fall back to anonymous connection, this might fail later */
DEBUG(10,("cm_prepare_connection: falling back to anonymous "
"connection for DC %s\n",
(*cli)->use_kerberos = False;
- result = cli_session_setup(*cli,
- machine_account,
- machine_password,
- strlen(machine_password)+1,
- machine_password,
- strlen(machine_password)+1,
- machine_domain);
-
+ result = cli_session_setup(*cli, "", "", 0, "", 0, "");
if (NT_STATUS_IS_OK(result)) {
DEBUG(5, ("Connected anonymously\n"));
- result = cli_init_creds(*cli, machine_account, machine_domain, machine_password);
- if (!NT_STATUS_IS_OK(result)) {
- goto done;
- }
goto session_setup_done;
}
int num_dcs = 0;
const char **dcnames = NULL;
- int num_dcnames = 0;
+ size_t num_dcnames = 0;
struct sockaddr_storage *addrs = NULL;
int num_addrs = 0;
result = get_trust_credentials(domain, talloc_tos(), false, &creds);
if (!NT_STATUS_IS_OK(result)) {
DEBUG(10, ("cm_connect_sam: No no user available for "
- "domain %s, trying schannel\n", conn->cli->domain));
+ "domain %s, trying schannel\n", domain->name));
goto schannel;
}
result = get_trust_credentials(domain, talloc_tos(), false, &creds);
if (!NT_STATUS_IS_OK(result)) {
DEBUG(10, ("cm_connect_sam: No no user available for "
- "domain %s, trying schannel\n", conn->cli->domain));
+ "domain %s, trying schannel\n", domain->name));
goto schannel;
}
result = get_trust_credentials(domain, talloc_tos(), true, &creds);
if (!NT_STATUS_IS_OK(result)) {
DEBUG(10, ("cm_connect_sam: No no user available for "
- "domain %s when trying schannel\n", conn->cli->domain));
+ "domain %s when trying schannel\n", domain->name));
return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
}
{
NTSTATUS status;
+ status = init_dc_connection_rpc(domain, true);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
if (domain->active_directory && domain->can_do_ncacn_ip_tcp) {
status = cm_connect_netlogon_transport(domain, NCACN_IP_TCP, cli);
if (NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED) ||